It is possible to build Gridsync binary packages with conflicting dependencies

[crwood]

Gridsync's pyinstaller-merged make target (which points to the pyinstaller tox testenv) presently installs dependencies from Gridsync, Tahoe-LAFS, and Magic-Folder into the same virtualenv before creating a PyInstaller multipackage bundle. While the Gridsync project currently takes great care to ensure that all Python dependencies -- include transitive dependencies -- are pinned and hashed (in order to, e.g., prevent dependencies from shifting during buildtime -- or even in order to detect certain supply chain attacks) it remains possible that a future revision one of these applications may require a dependency that conflicts with the dependencies of the other two. Because one should not ship software whose dependencies have not been properly fulfilled, additional checks/tests should be put in place at build time to ensure that builds proceed if and only if all dependencies have actually been met. A simple pip check call before running PyInstaller should be sufficient to demonstrate whether such conflicts exist.