Error: these packages do not match the hashes from the requirements file

As reported in this issue on GitHub, pip install occasionally fails with the following error in CI jobs:

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE.
If you have updated the package versions, please update the hashes.
Otherwise, examine the package contents carefully; someone may have tampered with them.

Is there any investigation going on regarding this issue?

Thanks

Is this a pypi.org availability issue? pip’s own test suite also recently had many occasions due to pypi.org not being accessible intermittently. The reports are conflicting on when the issue started. Your linked actions/virtual-environments#1354 says in the past week, while pypa/pip#8510 was reported in June. This seems to hint that this is not a pip implementation issue (since that would have started impacted people at approximately the same time), but a network issue that only occasionally happens.

Hi,

We have seen those issues since a little over 15 days roughly, the first build for us breaking in a similar way is this one I think: https://github.com/colour-science/colour/actions/runs/182245844 and since then almost all of them fail systematically: https://github.com/actions/virtual-environments/issues/1343

I’m suspecting that something on Pypi forcibly terminates connections if too many concurrent ones happen, e.g. DDOS protection. It would be great to be in touch with them, is there any official contact?

Cheers,

Thomas

1 Like

Hi, PyPI admin here. If you want to reach out to us in the future you can email admin@pypi.org or file an issue via https://pypi.org/help/#feedback.

Regarding this issue, we have gotten some user reports to this effect as well: https://github.com/pypa/warehouse/issues/8330. This seems to possibly be limited to GitHub actions.

We don’t have anything like this :slight_smile:. I think it’s unlikely that this is due to something from our CDN / backend. I can’t correlate this with any known issues or failures that we’re capturing.

1 Like

Thanks @dustin, this is great and super helpful, thanks for checking things on your side!