-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
poetry 1.2.0 can't install packages from private pypi servers supporting only MD5 hashes #6301
Comments
I can work around the issue by manually installing the offending package(s) via |
Duplicate #4523 |
@neersighted, is this really a duplicate? The behavior I've noted here is a regression from 1.1.15 to 1.2.0. |
This isn't duplicated @neersighted , I think @dimbleby also didn't read the latest comments. 1.2.0 broke poetry for a lot of its current users. downgrading works. |
Well in that case we can close #4523 and leave this one open, because 1.1 is out of support so it's only the 1.2 behaviour that's worth tracking here. Either way we only need one open issue. For real, please stop tagging me: it was borderline rude the first time and it's absurd after I've asked you to stop. |
Apologies, you mentioned "don't tag me in this issue", and this is a separate issue from my eyes, thought you hadn't read the comments above it in the other issue (as the thread changed context) I won't be tagging you anymore regarding this. I don't know the etiquette on tagging in GH, just saw you were a maintainer. |
Fair enough, going with this issue as the new canon. I would like to point out that @dimbleby is NOT a Poetry maintainer -- he is a frequent contributor and an expert in many of the hairier parts of the ecosystem and codebase. However, he has expressly declined to be declared formally part of the project, and should not be pinged on issues he has not explicitly expressed interest in. |
omg now you're at it...! I'm also not entirely sure about github tag etiquette and hope I don't sound too grumpy; but would y'all please allow me to unsubscribe from this problem? It just happens not to be interesting to me, that's all. |
Sounds good, apologies again! Getting back in this subject, from @msscaroso on the #4523 issue
I wonder if this was the regression ? It seems like in the case above the repo has both md5 and sha256, but poetry is not looking for the sha256 one. Anyho, will get back to work. For now I'm pinned to the latest version of |
😆 my bad, was meant to be a one-off. Please don't ping non-maintainers (and please don't passive-aggressively ping maintainers either, not that it happened in this thread) as it's rather rude to do so, and this issue tracker is actively monitored. We have a lot of work to do regarding duplicates, labeling, and whatnot, but that is neither here nor there right now. |
For anyone desperately looking for a solution. Hopefully this helps. I certainly got real frustrated by it. On Macbook Pro M1 Pro
Downgrading |
The same problem. pip install "poetry<1.2" as a temporary "fix" worked |
I have a similar problem |
Same problem here! Temporary solution is pin version to <1.2 |
I am also facing the same problem and this is a major blocker in adopting poetry. Getting following error while installing a privately hosted library in nexus.
|
For people suffering from this issue and using the latest (3.41.x or above) version of Sonatype Nexus for their private PyPi repository, the problem can be solved by forcing Nexus to re-create the index files for all affected packages. There is a Nexus bug where the problem is described: https://issues.sonatype.org/browse/NEXUS-34950 and the solution is to delete all files under |
I did find a stupid work around that seems to work for those using services like GemFury/Nexus that are still serving some packages with MD5 hashes only: You can't just replace the MD5 hash with the SHA256 hash in But at the moment, it appears you can have redundant file entries in The poetry internals appear to currently build a set of all hashes for a given package, so it's lenient on having multiple entries (as of current version of |
I think this will fix the issue I am seeing with this poetry issue and Sonatype Nexus Repository ManagerOSS |
@invokermain you must upgrade Nexus to 3.41+ first, then you can:
|
I see a similar issue for packagecloud.io based private package repo. However, it is with SHA1 hashes instead of MD5. The solution provided by @shea-parkes works to get around it temporarily. Manually editing the lock file every time we do a dependency update would not work long term. • Installing xxxxxx (1.0.0)
RuntimeError
Retrieved digest for link xxxxxx-1.0.0.tar(sha1:...) not in poetry.lock metadata ['sha256:...']
at ~/.local/lib/python3.9/site-packages/poetry/installation/chooser.py:144 in _get_links
140│
141│ selected_links.append(link)
142│
143│ if links and not selected_links:
→ 144│ raise RuntimeError(
145│ f"Retrieved digest for link {link.filename}({h}) not in poetry.lock"
146│ f" metadata {hashes}"
147│ )
148│ |
Currently I'm facing the same issue. This issue may clarify why this issue appears. In other hand, maybe poetry could make step further to check which hash name repository service is providing? |
I´m using Nexus v3.37, but how this is related to Nexus ? |
Because Nexus prior to 3.41 doesn't report sha256 hashes, it only reports md5. AFAICT, Poetry 1.2+ does not support md5 hashes. You should upgrade to Nexus 3.44 if you need poetry 1.2+ or stick to poetry 1.1.x. |
Thank you for the info. Will try to update the nexus asap. But when I look at my package on Nexus, I see that it has some checksums, not only md5 (sha1, sha256, etc), so are we sure that the issue is really related to Nexus ONLY ? |
Nexus stores multiple hashes for the individual backing files, but the page used to serve those files up as a pypi index only serves up the md5sum prior to 3.41. This is technically within the PEP 503 spec https://peps.python.org/pep-0503/ however poetry does not accept what they consider to be insecure hash types. Nexus 3.44 supposedly fixes an issue with stale indices for packages uploaded prior to 3.41, but i haven't had a chance to test that it works. |
After upgrading to 3.46 and reuploading my packages, it works perfectly. Thanks ! |
I don't want to take this too far off topic, but was reuploading necessary? Nexus documentation via https://issues.sonatype.org/browse/NEXUS-34950 implies this isn't necessary after 3.44 :-/ |
I've tested before reuploading with no success unfortunately. But right after the reupload, poetry succeed to add the package without any error. |
It does work for me. Steps below
|
Just for clarification, when updating Nexus to 3.44+ it's not necessary to reupload all packages. There are maintenance tasks that you can run to clear and generate the simple index https://issues.sonatype.org/browse/NEXUS-36608. |
For my part it worked for all packages, old or new. |
Also only worked for new packages for me. Maybe the nexus version was not high enough. In my case i reuploaded the packages. |
Since disabling new installer is now deprecated (since 1.4.0), previous workaround should be replaced by something more solid. |
So the problem comes from https://github.com/python-poetry/poetry/blame/master/src/poetry/repositories/http_repository.py#L224-L246, change made by @abn; this ignores the hash returned by the HTTP repository and instead calculates SHA256 variant for it. However, at https://github.com/python-poetry/poetry/blob/master/src/poetry/installation/chooser.py#LL105C1-L105C1 this transformation is not made, hence the failure here. Options:
Maintainers, should I make a PR, any preferences? For now created a PR with the later. |
I'm not that deep into this topic. After reading several linked issues and PRs, I conclude as follows regarding the two options: 1. Respect the hash served by the server and do not recalculate. #2958 introduced the change and probably did not allow md5 because it's too weak (i.e. not secure). Further, this may result in other issues if the server is just a mirror, see #5326 (comment):
I would consider simply allowing md5 to be a security risk. I think a config option to allow md5 that is turned off by default and maybe still prints a warning if md5 is used when turned on might be a viable option. 2. Make the same dynamic calculation in chooser. Sounds like a "simple" bugfix to me so I'd say this might make more sense. Further, it's more secure. IMO, we should prefer this solution. |
@gaborbernat Do we have an estimate of when a release with this fix will be launched? Thank you. |
I'm not a maintainer so can't say. |
Hi all, |
Joining to ask for a solution, I can't affect the private pypi server owners |
Bumping this issue. Is there any resolution to this problem yet? |
Since Nexus's Jira is not available anymore (https://issues.sonatype.org/browse/NEXUS-24127 is not accessible)
BTW, it looks like if you upload a new package - older ones will be automatically updated to use sha256. But I would still run the task manually. |
I'm using Nexus 3.43 and have no direct access to just simply update that. For me helped a bit trivial action sequence
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
-vvv
option).Issue
After upgrading from poetry 1.1.15 to 1.2.0, I can no longer
poetry install
in my dev environment - it fails on a single package. I've investigated and it looks like the problem is that with the newpoetry
, only SHA256 hashes are stored for packages inpoetry.lock
, even when the serving PyPi repository only supplies MD5 hashes.Somehow, even though the PyPi repo serves MD5 (only) hashes, the new poetry stores a SHA256 hash in
poetry.lock
- then when I try to dopoetry install
, the MD5 hash from the retrieved package of course doesn't match the hash in the lock file, so I get:(I've obscured the actual hashes and package-name above).
In our case, the PyPi repo server is Nexus, and not the very latest Nexus which does serve SHA256 hashes - that was only released this month, Aug 2022.
The text was updated successfully, but these errors were encountered: