As reported in this issue on GitHub, pip install occasionally fails with the following error in CI jobs:
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE.
If you have updated the package versions, please update the hashes.
Otherwise, examine the package contents carefully; someone may have tampered with them.
Is there any investigation going on regarding this issue?
Is this a pypi.org availability issue? pip’s own test suite also recently had many occasions due to pypi.org not being accessible intermittently. The reports are conflicting on when the issue started. Your linked actions/virtual-environments#1354 says in the past week, while pypa/pip#8510 was reported in June. This seems to hint that this is not a pip implementation issue (since that would have started impacted people at approximately the same time), but a network issue that only occasionally happens.
I’m suspecting that something on Pypi forcibly terminates connections if too many concurrent ones happen, e.g. DDOS protection. It would be great to be in touch with them, is there any official contact?
We don’t have anything like this . I think it’s unlikely that this is due to something from our CDN / backend. I can’t correlate this with any known issues or failures that we’re capturing.