Problem
Dependency hash-pinning (pip-compile --generate-hashes) cannot be completed because internal penguin-* packages are not resolvable from public PyPI at the pinned versions. Confirmed in a python:3.13-slim container:
penguin-utils: only 0.1.0 is public, but manager/backend/requirements.in requires >=0.2.0 → DistributionNotFound.
penguin-limiter: not published at all (referenced as a git URL in dns-server, and as an unsatisfiable PyPI dep >=0.1.0 in manager).
Both requirements.txt files carry the note "penguin- packages are locally installed (editable) and not yet published to PyPI"* — so the pinned requirements are not installable from public PyPI and cannot be hash-pinned. This also contradicts the standard that all penguin-libs packages are public (no private registry).
Public versions as of 2026-07-08: penguin-utils 0.1.0; penguin-dal 0.1.0/0.2.1/0.3.0; penguin-sal 0.1.0/0.2.0/0.2.1; penguin-aaa 0.1.0; penguin-licensing 0.1.0; penguin-limiter none.
Fix
- Publish
penguin-utils 0.2.0 and penguin-limiter to public PyPI.
- Then hash-pin both services:
pip-compile --generate-hashes on requirements.in (run on Python 3.13, e.g. a python:3.13 container). If any dep must remain editable/git, split hashable third-party deps from the editable penguin-* set.
- Switch Docker/CI installs to
pip install --require-hashes -r requirements.txt.
Context
Surfaced during the enterprise-hardening consolidation (PR #50). Not a deploy blocker (Docker images build on 3.13 via editable installs), but blocks reproducible, hash-verified builds.
Problem
Dependency hash-pinning (
pip-compile --generate-hashes) cannot be completed because internal penguin-* packages are not resolvable from public PyPI at the pinned versions. Confirmed in apython:3.13-slimcontainer:penguin-utils: only 0.1.0 is public, butmanager/backend/requirements.inrequires>=0.2.0→DistributionNotFound.penguin-limiter: not published at all (referenced as a git URL in dns-server, and as an unsatisfiable PyPI dep>=0.1.0in manager).Both
requirements.txtfiles carry the note "penguin- packages are locally installed (editable) and not yet published to PyPI"* — so the pinned requirements are not installable from public PyPI and cannot be hash-pinned. This also contradicts the standard that all penguin-libs packages are public (no private registry).Public versions as of 2026-07-08: penguin-utils 0.1.0; penguin-dal 0.1.0/0.2.1/0.3.0; penguin-sal 0.1.0/0.2.0/0.2.1; penguin-aaa 0.1.0; penguin-licensing 0.1.0; penguin-limiter none.
Fix
penguin-utils0.2.0 andpenguin-limiterto public PyPI.pip-compile --generate-hashesonrequirements.in(run on Python 3.13, e.g. apython:3.13container). If any dep must remain editable/git, split hashable third-party deps from the editable penguin-* set.pip install --require-hashes -r requirements.txt.Context
Surfaced during the enterprise-hardening consolidation (PR #50). Not a deploy blocker (Docker images build on 3.13 via editable installs), but blocks reproducible, hash-verified builds.