Error installing dev requirements due to require-hash mode

[marcelloromani]

Describe the bug

Installing dev requirements fails at pip_tools-5.3.1

To Reproduce
Steps to reproduce the behavior:

1. setup virtualenv

virtualenv venv
. venv/bin/activate

2. Install dev requirements as per README

python3 -m pip install -r requirements_dev.txt

3. Error:

ERROR: Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.)
    pip-tools==5.3.1 --hash=sha256:73787e23269bf8a9230f376c351297b9037ed0d32ab0f9bef4a187d976acc054

Expected behavior

All requirements installed successfully.

Desktop (please complete the following information):

• OS: MacOS Big Sur 11.1

[marcelloromani]

Adding the hash to pip-tools in requirements_dev.txt got me past it:

pip-tools==5.3.1  --hash=sha256:73787e23269bf8a9230f376c351297b9037ed0d32ab0f9bef4a187d976acc054

[marcelloromani]

Then I encountered a different error:

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    black from https://files.pythonhosted.org/packages/dc/7b/5a6bbe89de849f28d7c109f5ea87b65afa5124ad615f3419e71beb29dc96/black-20.8b1.tar.gz#sha256=1c02557aa099101b9d21496f8a914e9ed2222ef70336404eeeac8edba836fbea (from -r requirements_dev.txt (line 7))

Fix:

black==20.8b1 --hash=sha256:1c02557aa099101b9d21496f8a914e9ed2222ef70336404eeeac8edba836fbea

[marcelloromani]

Next error:

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    click>=7.1.2 from https://files.pythonhosted.org/packages/d2/3d/fa76db83bf75c4f8d338c2fd15c8d33fdd7ad23a9b5e57eb6c5de26b430e/click-7.1.2-py2.py3-none-any.whl#sha256=dacca89f4bfadd5de3d7489b7c8a566eee0d3676333fbb50030263894c38c0dc (from black==20.8b1->-r requirements_dev.txt (line 7))

Fix:

pip install click

[marcelloromani]

It looks like I'm down the rabbit hole of version- and has-pinning all dev packages and dependencies.
The issue seems to be that dev requirements are not hashed. I must be missing something simple.

[marcelloromani]

Removing -r requirements.txt allowed me to successfully install the dev requirements:

 $ git diff 
diff --git a/requirements_dev.txt b/requirements_dev.txt
index 4929dba..6155c2a 100644
--- a/requirements_dev.txt
+++ b/requirements_dev.txt
@@ -1,5 +1,3 @@
--r requirements.txt
-
 # Automated checks related
 pip
 pre-commit

 $ pip install -r requirements_dev.txt 

[marcelloromani]

The real problem lies within requirements.txt

$ pip install -r requirements.txt

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    appnope from https://files.pythonhosted.org/packages/e4/fa/0c6c9786aa6927d12d100d322588e125e6ed466ab0a3d2d509ea18aeb56d/appnope-0.1.2-py2.py3-none-any.whl#sha256=93aa393e9d6c54c5cd570ccadd8edad61ea0c4b9ea7a01409020c9aa019eb442 (from ipython==7.18.1->-r requirements.txt (line 311))```

[marcelloromani]

The real problem lies within requirements.txt

$ pip install -r requirements.txt

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    appnope from https://files.pythonhosted.org/packages/e4/fa/0c6c9786aa6927d12d100d322588e125e6ed466ab0a3d2d509ea18aeb56d/appnope-0.1.2-py2.py3-none-any.whl#sha256=93aa393e9d6c54c5cd570ccadd8edad61ea0c4b9ea7a01409020c9aa019eb442 (from ipython==7.18.1->-r requirements.txt (line 311))```

[marcelloromani]

These steps fixed the "required hash mode" issues for me:

• Update pip-tools as described here: pip 20.3.3: TypeError: make_requirement_preparer() got an unexpected keyword argument 'wheel_download_dir' jazzband/pip-tools#1307

$ python -m pip install --upgrade pip-tools

• Update the requirements file as per the instructions inside the requirements.txt file itself:

$ pip-compile --allow-unsafe --generate-hashes requirements.txt

• Install the requirements:

$ pip install -r requirements.txt

This brought me to the next issue which I'll address next:

    clang: error: invalid version number in 'MACOSX_DEPLOYMENT_TARGET=11.0'

[marcelloromani]

Note: after running pip-compile --allow-unsafe --generate-hashes requirements.txt, the requirements.txt file is updated. I'm not sure whether that should go into a PR or everyone has their own version due to differences in local environments.

Probably the version in master was generated inside the enironment set up by the Dockerfile?