Thanks, Andreas, for analysis.

I have more to add: in Zuul we rely on extra wheels. In the wild usually only on PyPI ones.
This adds more flavour to lower-constraints breakage as py3 incompats make their appearance in full, e.g.:

Collecting MarkupSafe==1.0
  Using cached MarkupSafe-1.0.tar.gz (14 kB)
    ERROR: Command errored out with exit status 1:
    Complete output (5 lines):
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-install-_vser3_6/MarkupSafe/setup.py", line 6, in <module>
        from setuptools import setup, Extension, Feature
    ImportError: cannot import name 'Feature'

-yoctozepto

On Fri, Apr 17, 2020 at 6:53 PM Andreas Jaeger <aj@suse.com> wrote:
Lower-constraints should test that the minimal requirements work together.

The way we use the install-command in tox.ini, pip often ignores the
constraints and install a newer package then requested.

First Example: cloudkitty (see [1], [2] ,[3] , [4])

The repo has:
    install_command = pip install
-c{env:UPPER_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
{opts} {packages}
and in lower-constraints.txt:
    "python-keystoneclient==1.9.0"

And this runs the test with "keystoneclient==4.0.0" [1]

Removing the install_command [3] or moving constraints from
install_command into deps [2] gives
"ERROR: Could not find a version that satisfies the requirement
python-keystoneclient==1.9.0"

So, this works as expected - but means this repo never tested what it
expected to test.

Second example: kolla-cli [5]
Removing the install_command with constraints, suddenly
lower-constraints fails with:
    "Could not find a version that satisfies the requirement mypy==0.6"

Same problem as with cloudkitty.

I fear that  every repo that has constraints in its install_command has
broken lower-constraints file. Just remove it and see that nothing works
anymore ;/

Therefore, I suggest for repos to remove install_command - the default
is just fine in newer tox (3.x) - and fix their lower-constraints.txt to
really test that the specified package versions work together.

Information about lower-constraints.txt is at [6],
Andreas

References:
[1] https://review.opendev.org/720767
[2] https://review.opendev.org/720768
[3] https://review.opendev.org/720770
[4] https://review.opendev.org/720775
[5] https://review.opendev.org/#/c/720754/3
[6] https://docs.openstack.org/project-team-guide/dependency-management.html
--
 Andreas Jaeger aj@suse.com Twitter: jaegerandi
  SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D 90409 Nürnberg
   (HRB 36809, AG Nürnberg) GF: Felix Imendörffer
    GPG fingerprint = EF18 1673 38C4 A372 86B1  E699 5294 24A3 FF91 2ACB