Version 0.6.0 unexpectedly updated?

[Code0x58]

This issue may just be to save people from looking into the hash update and possibly suggest a different approach for the future

edit: this is a duplicate of #134 which explains the situation, but I missed it as I didn't look at closed issues

We are using Pipenv to pin package versions, and overnight our tests have started breaking as the hash of 0.6.0 was updated, so Pipenv won't install it:

THESE PACKAGES DO NOT MATCH THE HASHES FROM Pipfile.lock!. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pluggy==0.6.0 from https://pypi.python.org/packages/ba/65/ded3bc40bbf8d887f262f150fbe1ae6637765b5c9534bd55690ed2c0b0f7/pluggy-0.6.0-py3-none-any.whl#md5=295745cab038ef139c75aa2cdb79a5b0 (from -r /tmp/pipenv-0unxkan_-requirements/pipenv-tq0bpyzj-requirement.txt (line 1)):
        Expected sha256 7f8ae7f5bdf75671a718d2daf0a64b7885f74510bcd98b1a0bb420eb9a9d0cff
             Got        e160a7fcf25762bb60efc7e171d4497ff1d8d2d75a3d0df7a21b76821ecbf5c5

The diff after doing pipenv lock:

         "pluggy": {
             "hashes": [
-                "sha256:7f8ae7f5bdf75671a718d2daf0a64b7885f74510bcd98b1a0bb420eb9a9d0cff"
+                "sha256:714306e9b9a7b24ee4c1e3ff6463d7f652cdd30f4693121b31572e2fe1fdaea3",
+                "sha256:7f8ae7f5bdf75671a718d2daf0a64b7885f74510bcd98b1a0bb420eb9a9d0cff",
+                "sha256:d345c8fe681115900d6da8d048ba67c25df42973bda370783cd58826442dcd7c",
+                "sha256:e160a7fcf25762bb60efc7e171d4497ff1d8d2d75a3d0df7a21b76821ecbf5c5"
             ],
             "version": "==0.6.0"
         },

Looking at pypi (and github) shows that the version was originally released on 2017-11-24 last year, but the the download was updated yesterday (2018-04-15).

The diff between old and new versions of site-packages/pluggy/ + site-packages/pluggy-0.6.0.dist-info/ shows only dist info changed:

Only in /old/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/: DESCRIPTION.rst
diff -r -U2 /old/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/METADATA /new/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/METADATA
--- /old/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/METADATA	2018-04-16 10:25:11.706946134 +0100
+++ /new/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/METADATA	2018-04-10 10:43:29.612076282 +0100
@@ -1,3 +1,3 @@
-Metadata-Version: 2.0
+Metadata-Version: 2.1
 Name: pluggy
 Version: 0.6.0
@@ -7,5 +7,4 @@
 Author-email: holger@merlinux.eu
 License: MIT license
-Description-Content-Type: UNKNOWN
 Platform: unix
 Platform: linux
Only in /old/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/: metadata.json
diff -r -U2 /old/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/RECORD /new/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/RECORD
--- /old/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/RECORD	2018-04-16 10:25:11.854950468 +0100
+++ /new/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/RECORD	2018-04-10 10:43:29.648076290 +0100
@@ -1,10 +1,8 @@
 pluggy/__init__.py,sha256=OjBXPPtViBPupop97Lkq0_bUdnIOM8zDsQljVtzu52A,26010
 pluggy/callers.py,sha256=gLgZb_8v6WJITpNoBWNkooFFs7J3nN-aICri__1LN88,6750
-pluggy-0.6.0.dist-info/DESCRIPTION.rst,sha256=BOalTynOzIEw00RuOWMLp-u7FYOVI82cPnAHKuQ8znU,2251
 pluggy-0.6.0.dist-info/LICENSE.txt,sha256=0fH3v9u_cqntGTu8RVmeIQ002l5U3RgDSBXvkxsYQis,1112
-pluggy-0.6.0.dist-info/METADATA,sha256=tDPQGbpMvRYoSqJVxUQOITSYgZXwQhI8SJrDsMIXApo,3489
+pluggy-0.6.0.dist-info/METADATA,sha256=JhmZPbpOCy9UwRM6zbpDoRJmJeb4E4j-kvIYZDNbLKo,3455
 pluggy-0.6.0.dist-info/RECORD,,
-pluggy-0.6.0.dist-info/WHEEL,sha256=8Lm45v9gcYRm70DrgFGVe4WsUtUMi1_0Tso1hqPGMjA,92
-pluggy-0.6.0.dist-info/metadata.json,sha256=4Aii1Fsd3u5moWj2gNksZpyGa-qWhz0NcG2rWwCtFvo,1301
+pluggy-0.6.0.dist-info/WHEEL,sha256=J3CsTk7Mf2JNUyhImI-mjX-fmI4oDjyiXgWT4qgZiCE,110
 pluggy-0.6.0.dist-info/top_level.txt,sha256=xKSCRhai-v9MckvMuWqNz16c1tbsmOggoMSwTgcpYHE,7
 pluggy-0.6.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4
diff -r -U2 /old/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/WHEEL /new/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/WHEEL
--- /old/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/WHEEL	2018-04-16 10:25:11.706946134 +0100
+++ /new/.venv/lib/python3.6/site-packages/pluggy-0.6.0.dist-info/WHEEL	2018-04-10 10:43:29.612076282 +0100
@@ -1,5 +1,6 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.30.0)
+Generator: bdist_wheel (0.31.0)
 Root-Is-Purelib: true
+Tag: py2-none-any
 Tag: py3-none-any

Would this have been better as a patch release, i.e. 0.6.1?

[RonnyPfannschmidt]

this was entirely a mistake in tool usage

[dantswain]

@Code0x58 I ran into the same issue. How did you get your Pipfile.lock happy again? Did you have to manually update the hashes?

[Code0x58]

@dantswain I did pipenv lock myself, but you could manually apply the Pipfile.lock diff I posted instead

[hvdklauw]

We ran into the same issue, thanks for doing the research into the changes; they look harmless, but still...

Very glad we use pipenv, a hostile hacker could have done some very nasty things otherwise.

[flazzarini]

I kinda of have the same issue when trying to install using pip. Pip exits with a ErrorCode of 1.

 
 $ ./env/bin/pip install pluggy
 Looking in indexes: https://pypi.python.org/simple
 Collecting pluggy
 
 $ echo $?
 1

[obestwalter]

@flazzarini - this looks odd. There should be more output why this went wrong.

[RonnyPfannschmidt]

pypi is mid-update - see https://status.python.org/incidents/1y1f44q6srh2

[dakotadjones]

Would this change be affecting metadata? I am using artifactory and metadata for pluggy-0.6.0-py3-none-any.whl is showing up correctly. However pluggy-0.6.0-py2-none-any.whl is not picking up and pypi info or metadata. So I can pip install py3 whl fine but can't use py2 whl at all.