-
Notifications
You must be signed in to change notification settings - Fork 772
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uv lock should redact username and password from source #5119
Comments
Also related #1714 |
Not sure what to do here -- do we really want to strip the credentials entirely? If so, how would users install from the lockfile? |
Won't redefining the index url with the authorization in cli or environment variable work?. I see two issues
|
How are the credentials being provided in the first place here? |
Should we just omit username and password entirely then from the lockfile, in all cases? AFAICT that's the only option available to us. |
UV_INDEX_URL=https://oauth2accesstoken:${ARTIFACT_REGISTRY_TOKEN}@us-python.pkg.dev/private/private/simple/ or cli |
I presume the environment variable is being resolved by your shell then? e.g. the first case in
If so, we don't know anything about the use of an environment variable and cannot use it to template the URL. I guess we might need to encourage setting the index URL with Ideally we'd at least retain the username. However, sometimes it's ambiguous if we should use something in the username position as a password. |
If we drop the credentials from the lockfile itself, then re-run with the index URL provided as above, do we properly propagate them? |
I don't think we do any environment variable propagation today, we'd need to add that. |
We use |
I think environment variable parsing/propagation from For example, I expected this to work:
I expected In GitLab, project variables can be used as environment variables in the CI/CD pipeline. Below is a GitLab job template that installs .job-template:
image: python:3.12-alpine
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
when: never
- if: $CI_PIPELINE_SOURCE == "push"
variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
UV_CACHE_DIR: "$CI_PROJECT_DIR/.cache/uv"
cache:
key:
files:
- uv.lock
paths:
- .cache/pip
- .cache/uv
- .venv
policy: pull
- pip config set global.cert /my_company.pem
- pip config set global.index-url "https://${PYPI_USERNAME}:${PYPI_PASSWORD}@mycompany.com/repository/pypi-proxy/simple/"
- pip install uv
- uv sync |
@chrisrodrigue -- I think that's actually intended to work, I'm somewhat surprised that it doesn't. But isn't it more common for those env vars to be expanded automatically by the shell, such that the value written to the pip config does include the raw credentials? In other words: I believe that |
[tool.uv.pip]
index-url = "https://${PYPI_USERNAME}:${PYPI_PASSWORD}@mycompany.com/repository/pypi-proxy/simple/" This will not fall back to PyPI, but it's only used at all in the
|
I added #5734. |
Yes they are expanded, and the value written to the pip config shows the raw credentials. I don't think this is a security issue since the pipeline container is ephemeral. GitLab has a feature that masks the expanded variables from job logs... I assume GitHub supports a similar feature? |
But I don't think the masking extends to other files/artifacts such as the I think some solutions would be for the (1) Completely strip the username/password fields from source = { registry = "https://actual_username:actual_password@mycompany.com/repository/pypi-proxy/simple/" } to source = { registry = "https://mycompany.com/repository/pypi-proxy/simple/" } or (2) retain the environment variable name without expansion, which could provide more useful context to a user attempting to debug or reproduce the environment source = { registry = "https://${PYPI_USERNAME}:${PYPI_PASSWORD}@mycompany.com/repository/pypi-proxy/simple/" } A happy medium could be to allow user-configurability a la [tool.uv.options]
sync = ["--expand-variables"]
lock = ["--expand-variables"] |
The Hatch project has a slightly more verbose but powerful syntax for annotating paths and environment variables in config: Paths ( [tool.hatch.envs.test]
dependencies = [
"example-project @ {root:parent:parent:uri}/example-project",
] Environment variables support setting default values if they are not set, e.g. [tool.hatch.envs.test.scripts]
display = "echo {env:FOO:{env:BAR:{home}}}" |
I think (1) should be the default behaviour -- it is secure by default, and makes no assumptions as to the way the credentials were fed in (env var interpolation by shell, env var interpolation by uv, |
@paveldikov -- I tend to agree. Though we need to make sure that we're able to reconnect the credentials appropriately at install time... |
I'll be giving this some thought this week. |
eg
to
uv --version
uv 0.2.24
similar #3106
The text was updated successfully, but these errors were encountered: