python3: Use hash-checking mode when installing host pip packages

In hash-checking mode[1], pip will verify downloaded package archives (source tarballs in our case) against known SHA256 hashes before installing the packages. As a consequence, this requires the use of requirements files[2] and pinning packages to known versions. The syntax for package Makefiles has changed slightly; HOST_PYTHON3_PACKAGE_BUILD_DEPENDS no longer accepts requirement specifiers like "foo>=1.0", only requirements file names (which are the same as package names in the most common case). This also updates affected packages, in particular: * python-zipp: "setuptools_scm[toml]" has been split into "setuptools-scm toml" to reuse the requirements file for setuptools-scm (the extra depends installed by "setuptools_scm[toml]" is toml). * python-pycparser: This previously used ply 3.10, whereas the requirements file will now install 3.11. [1]: https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode [2]: https://pip.pypa.io/en/stable/user_guide/#requirements-files Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2025-12-20 09:31:20 +00:00 · 2020-08-15 14:33:30 +08:00
parent 6855683e3e
commit 722a5b8efa
17 changed files with 65 additions and 18 deletions
--- a/lang/python/python-cryptography/Makefile
+++ b/lang/python/python-cryptography/Makefile
@@ -21,7 +21,7 @@ PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>, Alexandru Ardelean <ardeleana
 PKG_BUILD_DEPENDS:=libffi/host
 PKG_BUILD_PARALLEL:=0

-HOST_PYTHON3_PACKAGE_BUILD_DEPENDS:="cffi>=1.8,!=1.11.3"
+HOST_PYTHON3_PACKAGE_BUILD_DEPENDS:=cffi  # cffi>=1.8,!=1.11.3

 include ../pypi.mk
 include $(INCLUDE_DIR)/package.mk