Installer update

[dimbleby]

installer 1.0

Almost three years since making the fix, this release includes pypa/installer#186 - which was the reason for disabling record validation.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[radoering]

I wonder how much time record validation costs and if we should make it optional. (I assume pip still does no validation?)

[dimbleby]

pypa/installer#327 should mostly mitigate extra expense I expect.

Presumably it still cannot be completely free to pass through large files twice, but I guess that the hash calculation dominates.

[dimbleby]

some ad hoc benchmarking, installing a torch wheel and many gigabytes of nvidia-cu* dependencies. Fully populated poetry cache, so we should be measuring only the time taken to copy from the cached wheel to the venv

• skip record validation, do not trust record: 36s
• validate record, do not trust record: 73s
• validate record, trust record: 60s

all on my aging laptop, your mileage may vary.

Not so much of a mitigation as I had hoped to be honest. Perhaps the installer API still is wrong, perhaps it would be better to have install() be capable of optionally reporting mismatch between the record entries that it calculates and those in the wheel.

Then we would skip content validation up-front, but get it during install.

[onyx-and-iris]

installer 1.0 also includes a fix for relpath on windows, see #10028.