Hashin fails to use ABI binaries (PEP 425)

[chrispbailey]

I found this trying to install cryptography. It publishes an ABI3 which pip uses on a python 3.6 system

/tmp > virtualenv -p python3.6 ve
Running virtualenv with interpreter /usr/bin/python3.6
Using base prefix '/usr/local/lib/python3.6.2'
New python executable in /tmp/ve/bin/python3.6
Also creating executable in /tmp/ve/bin/python
Installing setuptools, pip, wheel...done.

/tmp > ve/bin/pip install cryptography==2.2.2
Collecting cryptography==2.2.2
  Using cached cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl
Collecting idna>=2.1 (from cryptography==2.2.2)
  Using cached idna-2.6-py2.py3-none-any.whl
Collecting six>=1.4.1 (from cryptography==2.2.2)
  Using cached six-1.11.0-py2.py3-none-any.whl
Collecting asn1crypto>=0.21.0 (from cryptography==2.2.2)
  Using cached asn1crypto-0.24.0-py2.py3-none-any.whl
Collecting cffi>=1.7; platform_python_implementation != "PyPy" (from cryptography==2.2.2)
  Using cached cffi-1.11.5-cp36-cp36m-manylinux1_x86_64.whl
Collecting pycparser (from cffi>=1.7; platform_python_implementation != "PyPy"->cryptography==2.2.2)
Installing collected packages: idna, six, asn1crypto, pycparser, cffi, cryptography
Successfully installed asn1crypto-0.24.0 cffi-1.11.5 cryptography-2.2.2 idna-2.6 pycparser-2.18 six-1.11.0

Annoyingly hashin doesn't choose the same version when generating it's hashes

tmp > ve/bin/hashin --verbose cryptography==2.2.2 --python-version 3.6
https://pypi.org/pypi/cryptography/json
* Found URL https://files.pythonhosted.org/packages/90/c9/3164aec0c129e0753bd92201b69f1dd859e29b243f516daab2d48557cb9f/cryptography-2.2.2-cp36-cp36m-win32.whl
*   Hash f6c821ac253c19f2ad4c8691633ae1d1a17f120d5b01ea1d256d7b602bc59887
* Found URL https://files.pythonhosted.org/packages/67/62/67faef32908026e816a74b4b97491f8b9ff393d2951820573599c105cc32/cryptography-2.2.2-cp36-cp36m-win_amd64.whl
*   Hash ba6a774749b6e510cffc2fb98535f717e0e5fd91c7c99a61d223293df79ab351
* Found URL https://files.pythonhosted.org/packages/ec/b2/faa78c1ab928d2b2c634c8b41ff1181f0abdd9adf9193211bd606ffa57e2/cryptography-2.2.2.tar.gz
*   Hash 9fc295bf69130a342e7a19a39d7bbeb15c0bcaabc7382ec33ef3b2b7d18d2f63
* Editing requirements.txt

Which means pip will fail with --require-hashes when trying to install from requirements.txt

[Changaco]

I hit the same problem. Workaround: add --python-version 3.4 to the arguments.

[peterbe]

Hi @chrispbailey
I don't know what ABI3 is.
When you specify --python-version 3.6 what did you expect it to pick out? There are no abi3 lines in the JSON for 3.6. Only for 3.4. E.g:

▶ grep abi3 crypt.json | grep 2.2.2 | grep filename
                "filename": "cryptography-2.2.2-cp34-abi3-macosx_10_6_intel.whl",
                "filename": "cryptography-2.2.2-cp34-abi3-manylinux1_i686.whl",
                "filename": "cryptography-2.2.2-cp34-abi3-manylinux1_x86_64.whl",

(note the cp34)

[peterbe]

Also interesting looking through the JSON I notice that the only cp36 is cryptography-2.2.2.tar.gz and cryptography-2.2.2-cp36-cp36m-win32.whl and cryptography-2.2.2-cp36-cp36m-win_amd64.whl.
And you're on linux.

[peterbe]

I'm on macos I and I noticed that my pip install (based on py 3.6) also prefers the 3.4 file. For me, it downloads https://files.pythonhosted.org/packages/40/87/acdcf84ce6d25a7db1c113f4b9b614fd8d707b7ab56fbf17cf18cd26a627/cryptography-2.2.2-cp34-abi3-macosx_10_6_intel.whl

So, I guess it means that pip install favors that abi3 (even though it's cp34) instead of the available wheel for cp36). Any idea why?