Strange dependency specifier behavior when using export

[alexifm]

• I am on the latest Poetry version.
• I have searched the issues of this repo and believe that this is not a duplicate.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• OS version and name: macos 10.15.7
• Poetry version: 1.1.4

Issue

This is related to #30 and comes from this comment: https://github.com/python-poetry/poetry/issues/3160#issuecomment-726236225

Now though, I have a clear example of what's happening in the requirements.txt file that is breaking the install.

Here is the relevant portion of a boilerplate pyproject.toml file from poetry new

[tool.poetry.dependencies]
python = "~3.8"

[tool.poetry.dev-dependencies]
moto = "1.3.14"
python-semantic-release = "^6.4"
# cryptography = "^3.2.1"

Here is the relevant output of poetry export --dev --format=requirements.txt

cryptography==3.2.1; python_version >= "3.6" and python_full_version < "3.0.0" and sys_platform == "linux" or sys_platform == "linux" and python_version >= "3.6" and python_full_version >= "3.5.0" \
    --hash=sha256:6dc59630ecce8c1f558277ceb212c751d6730bd12c80ea96b4ac65637c4f55e7 \
...

If I create a new identical clean virtual environment (replicating a pipeline setup that uses nox or tox) and run pip install --constraint=requirements.txt moto, I will get something like this:

$ pip install --constraint=requirements.txt moto
...
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    cryptography>=2.3.0 from https://files.pythonhosted.org/packages/c4/78/6c28c899181c395d8e07778110caff21248ba97774e567e7f7895951d92e/cryptography-3.2.1-cp35-abi3-macosx_10_10_x86_64.whl#sha256=bd717aa029217b8ef94a7d21632a3bb5a4e7218a4513d2521c2a2fd63011e98b (from moto==1.3.14->-c requirements.txt (line 387))

If I uncomment the cryptography dependency, the relevant line in the requirements.txt file will become:

cryptography==3.2.1; (python_version >= "2.7" and python_full_version < "3.0.0") or (python_full_version >= "3.5.0") \
    --hash=sha256:6dc59630ecce8c1f558277ceb212c751d6730bd12c80ea96b4ac65637c4f55e7 \
...

which is a dependency pattern that looks much nicer and more sane. And the pip install ends up working fine.

Alternatively, if I remove the dependency on python-semantic-release and leave cryptography commented out, this also works. This problem appears to come from some combination a) the dependency solve between these two packages that use cryptography directly or through another dependency, b) the writing of the lock file, and c) the exporting of the lock file to requirements.

[dimbleby]

export today gives

cryptography==37.0.2 ; python_version >= "3.8" and python_version < "3.9" \
    --hash=sha256:093cb351031656d3ee2f4fa1be579a8c69c754cf874206be1d4cf3b542042804 \
...

Clearly things have moved on since cryptography 3.2.1 was the latest, without the original lockfile it's probably too hard to reproduce the exact setup reported. However this looks very clean,

Then

$ pip install --constraint=requirements.txt moto
Collecting moto
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    moto from https://files.pythonhosted.org/packages/1e/84/6e115b45be00273c7cfad5b9506b7c8a78bc7d2a11afe72517a7f6d01289/moto-1.3.14-py2.py3-none-any.whl#sha256=2b3fa22778504b45715868cad95ad458fdea7227f9005b12e522fc9c2ae0cabc

which is fair enough, that command line indeed does not provide a hash for moto.

So far as I can tell, there's no problem remaining here.

[colindean]

I've been seeing something like this for quite a while in my projects, but it's nearly always google-api-core that is the culprit:

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    google-api-core[grpc]!=2.0.*,!=2.1.*,!=2.2.*,!=2.3.*,!=2.4.*,!=2.5.*,!=2.6.*,!=2.7.*,<3.0.0,>=1.34.1 from https://artifactory.mycompany.com/artifactory/api/pypi/pypi-remote/packages/packages/77/ad/f73cf9fe9bd95918502b270e3ddb8764e4c900b3bbd7782b90c56fac14bb/google_api_core-2.26.0-py3-none-any.whl#sha256=2b204bd0da2c81f918e3582c48458e24c11771f987f6258e6e227212af78f3ed (from google-cloud-aiplatform==1.119.0->-r /app/requirements.txt (line 419))
error building image: error building stage: failed to execute command: waiting for process to exit: exit status 1

Notice how many installed packages could be the ones that are demanding the grpc extra, I'm assuming based on what packages may be wanting grcpio:

$ poetry show --why --tree grpcio
google-api-core 2.26.0 Google API client core library
├── grpcio >=1.49.1,<2.0.0
│   └── typing-extensions >=4.12,<5.0 
└── grpcio >=1.33.2,<2.0.0
    └── typing-extensions >=4.12,<5.0 
googleapis-common-protos 1.70.0 Common protobufs used in Google APIs
└── grpcio >=1.44.0,<2.0.0
    └── typing-extensions >=4.12,<5.0 
grpc-google-iam-v1 0.14.2 IAM API client library
└── grpcio >=1.44.0,<2.0.0
    └── typing-extensions >=4.12,<5.0 
grpcio-status 1.75.1 Status proto mapping for gRPC
└── grpcio >=1.75.1
    └── typing-extensions >=4.12,<5.0

I'm having a heck of a time reproducing it as minimally as I'd like. I feel like this should reproduce it, but it doesn't:

[project]
name = "poetry-gh-38"
version = "0.1.0"
description = ""
authors = [
    {name = "Your Name",email = "you@example.com"}
]
readme = "README.md"
requires-python = ">=3.10"
dependencies = [
    "google-cloud-aiplatform (>=1.121.0,<2.0.0)",
    "google-cloud-pipeline-components (>=2.21.0,<3.0.0)",
    "google-api-core (==2.25.2)",
]

[tool.poetry]
package-mode = false

[tool.poetry.requires-plugins]
poetry-plugin-export = ">=1.8"

[build-system]
requires = ["poetry-core>=2.0.0,<3.0.0"]
build-backend = "poetry.core.masonry.api"

# minus a source setting for my company's internal PyPi mirror.

This gets MUCH closer to the deps in the real projects experiencing the issue regularly:

[project]
name = "poetry-gh-38"
version = "0.1.0"
description = ""
authors = [
    {name = "Your Name",email = "you@example.com"}
]
readme = "README.md"
requires-python = ">=3.10"

[tool.poetry]
package-mode = false

[tool.poetry.dependencies]
## direct deps of direct dep I control
google-cloud-aiplatform = "^1.75.0"
google-cloud-pipeline-components = "^2.17.0"
# Google cloud storage
google-cloud-storage = ">=2.2.1,<3"
# Vertex KFP Pipelines
kfp = "^2.5.0"
## direct deps of another direct dep, over which I have less control
## obvious conflicts with the above are commented out
# kfp = { version = "^2.2.0" }
# google-cloud-aiplatform = { version = "^1.65.0" }
google-cloud-secret-manager = { version = "^2.20.0" }
google-auth = { version = "^2.30.0" }
google-auth-oauthlib = { version = "^1.2.0" }
# google-cloud-storage = { version = "^2.0.0" }
google-cloud-bigquery-storage = { version = "^2.24.0" }
google-api-python-client = { version = "^2.136.0" }

## now play with the package that seems to break everything
# google-api-core = "2.25.2"
# google-api-core = "*"

[tool.poetry.requires-plugins]
poetry-plugin-export = ">=1.8"

[build-system]
requires = ["poetry-core>=2.0.0,<3.0.0"]
build-backend = "poetry.core.masonry.api"

# minus a source setting for my company's internal PyPi mirror.

My test is using poetry export -o reqs.txt && grep grpc reqs.txt to look for anything sus as well as searching for google-cloud-aiplatform==1.119.0 but I'm not able to reproduce it reliably, even seemingly after fixing it with just a poetry update.

I speculate that it's some kind of a subtle version conflict between Google's packages in a way that Poetry isn't correctly detecting all of the possible extras.