What are metadata used for ?

[Michae94]

Hey everyone,
At the bottom of the poetry.lock file, there is the list of all packages with a list of wheels for each package.

I am not sure what is the purpose of this list.

[metadata]
lock-version = "1.1"
python-versions = "^3.8"
content-hash = "XXXX"

[metadata.files]
grpcio-gcp = [
    {file = "grpcio-gcp-0.2.2.tar.gz", hash = "sha256:XXX"},
    {file = "grpcio_gcp-0.2.2-py2.py3-none-any.whl", hash = "sha256:XXX"},
]

Does anybody has link to a documentation on this part ? or could explain it ?

Especially what would happen if this list was empty for all packages (cf issues with old poetry versions : #6045)

Thanks a lot 🙏

[neersighted]

In older versions of Poetry, we kept a collection of filenames and hashes. In newer versions of Poetry (lock file format 2.0), we instead keep track of files under each package entry. In all cases these hashes are used to verify the packages retrieved from the repository match the expected values from lock time.

The other metadata fields are straightfoward -- representing the lock file format version, the Python constraint from pyproject.toml, and a hash of attributes that are known to require a re-lock.

[Michae94]

Thanks a lot for the quick detailed answer !

From my understanding then, if this part is missing, the verification part will succeed without actually verifying the hash of the packages itself.

[neersighted]

No, without hashes present the check that the a hash of the downloaded file is available in the lock file will fail, and nothing should be installable.

See moby/moby#44888 for how this happened.

[Michae94]

Quite interesting 🤔.
It looks like in our case the packages were still installed while the list of hashes were empty.

[metadata]
lock-version = "1.1"
python-versions = "^3.8"
content-hash = "XXXX"

[metadata.files]
grpcio-gcp = []

[Michae94]

However we were on poetry version 1.1.12, and we installed airflow which comes with a lot of packages already so that might the reason why.