Offload more work to the underlying pip command used to install the
build requirements, so there's no need to duplicate code to handle
environment markers/extras. This is done by setting the correct options
from the finder passed in argument to `_install_build_reqs`.
* Add --require-hashes option. This is handy in deployment scripts to force application authors to hash their requirements. It is also a convenient way to get pip to show computed hashes for a virgin, unhashed requirements file. Eventually, additions to `pip freeze` should fill a superset of this use case.
* In --require-hashes mode, at least one hash is required to match for each requirement.
* Option-based requirements (--sha256=...) turn on --require-hashes mode implicitly.
* Internet-derived URL-based hashes are "necessary but not sufficient": they do not satisfy --require-hashes mode when they match, but they are still used to guard against transmission errors.
* Other URL-based requirements (#md5=...) are treated just like flag-based ones, except they don't turn on --require-hashes.
* Complain informatively, with the most devastating errors first so you don't chase your tail all day only to run up against a brick wall at the end. This also means we don't complain that a hash is missing, only for the user to find, after fixing it, that we have no idea how to even compute a hash for that type of requirement.
* Complain about unpinned requirements when hash-checking mode is on, lest they cause the user surprise later.
* Complain about missing hashes.
* Complain about requirement types we don't know how to hash (like VCS ones and local dirs).
* Have InstallRequirement keep its original Link around (original_link) so we can differentiate between URL hashes from requirements files and ones downloaded from the (untrustworthy) internet.
* Remove test_download_hashes, which is obsolete. Similar coverage is provided in test_utils.TestHashes and the various hash cases in test_req.py.
`pip download` has the same functionality as `pip install --download`,
and the behavior of `pip install --download` is preserved with a deprecation
warning. `pip install --download` will be removed in pip version 10.
because `path_to_url` is smarter than the ad-hoc code I hacked together.
In particular, it works on Windows, whereas my code didn't. This
prevents the following error on Windows:
Script result: svn import c:\users\admini~1\appdata\local\temp\pytest-27\test_freeze_svn0\workspace\scratch\version_pkg file://c:\users\admini~1\appdata\local\temp\pytest-27\test_freeze_svn0\workspace\scratch\pip-test-package-repo\trunk -m Initial import of pip-test-package
return code: 1
-- stderr: --------------------
svn: E170000: Illegal repository URL 'file://c:%5cusers%5cadmini~1%5cappdata%5clocal%5ctemp%5cpytest-27%5ctest_freeze_svn0%5cworkspace%5cscratch%5cpip-test-package-repo%5ctrunk'
Conflicts:
CHANGES.txt
tests/functional/test_install_reqs.py
tests/lib/__init__.py
tests/unit/test_req.py
Additional work - refactored tests to new style.
This is needed because the various activities that exericsing the
tests do will cause files to change inside this data directory. If
we do not make it test specific then we run into concurrency issues.