fix: missing git+http:// scheme support #6619
Conversation
|
I'm not sure about this change -- historically we have only allowed secure transports for Git, and both upstream Git and pip take steps to discourage their use:
Generally, Poetry tries to make things as secure and reproducible as possible, by enforcing check-summing, encrypted transports, etc. What is gained here that can't be solved by maintaining an intranet CA or using Let's Encrypt? |
I am completely aware of it. While insecure transport should be discouraged whenever possible, we might well happen to use the repo which is not exposed to the internet and neither secured. Aside from the ethics, poetry-core actually supports the scheme (see this). |
| @@ -64,7 +64,7 @@ def _parse_dependency_specification_url( | |||
| if not (url_parsed.scheme and url_parsed.netloc): | |||
| return None | |||
|
|
|||
| if url_parsed.scheme in ["git+https", "git+ssh"]: | |||
| if url_parsed.scheme in ["git+http", "git+https", "git+ssh"]: | |||
There was a problem hiding this comment.
Let's make this (and the list below for URL deps) a file-level constant set (e.g. GIT_URL_SCHEMES = {}, URL_SCHEMES = {}).
There was a problem hiding this comment.
It looks like simply startswith("git+") would be enough:
https://github.com/python-poetry/poetry-core/blob/e72d3e497c7d9298bdabae179e8c58e58a82903b/src/poetry/core/packages/dependency.py#L425
There was a problem hiding this comment.
git+ is not good enough as we don't support git+file:// or git+git:// -- the original approach of a set is much better.
There was a problem hiding this comment.
Yes, it's much better, but I don't think it makes much sense as long as the underlying library doesn't do in that way. I think it should surely be addressed, but I guess it's not what should be done in this PR.
There was a problem hiding this comment.
The rationale is that it's even better off sharing the same logic between poetry and poetry-core, and that should be done in the separate PR. I don't want to dig this even further, like factoring out the list never used in other places.
There was a problem hiding this comment.
This is still the correct place to make this check; the code in poetry-core is generic URL parsing and not opinionated on what URLs are valid for a Python package vs. Git in general.
I am fine to move that logic into poetry-core, but I am not fine with removing the check from Poetry before that code is ready. Even though this is a fairly off-the-beaten path concern, making things more permissive and restricting it again later is not a viable approach.
Secrus
force-pushed
the
fix-git-plain-http
branch
from
9e616c2
to
bd086ec
Compare
Secrus
force-pushed
the
fix-git-plain-http
branch
from
bd086ec
to
d3e308a
Compare
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [poetry](https://python-poetry.org/) ([source](https://github.com/python-poetry/poetry), [changelog](https://python-poetry.org/history/)) | minor | `1.5.1` -> `1.6.1` | --- ### Release Notes <details> <summary>python-poetry/poetry (poetry)</summary> ### [`v1.6.1`](https://github.com/python-poetry/poetry/blob/HEAD/CHANGELOG.md#161---2023-08-21) [Compare Source](python-poetry/poetry@1.6.0...1.6.1) ##### Fixed - Update the minimum required version of `requests` ([#​8336](python-poetry/poetry#8336)). ### [`v1.6.0`](https://github.com/python-poetry/poetry/blob/HEAD/CHANGELOG.md#160---2023-08-20) [Compare Source](python-poetry/poetry@1.5.1...1.6.0) ##### Added - **Add support for repositories that do not provide a supported hash algorithm** ([#​8118](python-poetry/poetry#8118)). - **Add full support for duplicate dependencies with overlapping markers** ([#​7257](python-poetry/poetry#7257)). - **Improve performance of `poetry lock` for certain edge cases** ([#​8256](python-poetry/poetry#8256)). - Improve performance of `poetry install` ([#​8031](python-poetry/poetry#8031)). - `poetry check` validates that specified `readme` files do exist ([#​7444](python-poetry/poetry#7444)). - Add a downgrading note when updating to an older version ([#​8176](python-poetry/poetry#8176)). - Add support for `vox` in the `xonsh` shell ([#​8203](python-poetry/poetry#8203)). - Add support for `pre-commit` hooks for projects where the pyproject.toml file is located in a subfolder ([#​8204](python-poetry/poetry#8204)). - Add support for the `git+http://` scheme ([#​6619](python-poetry/poetry#6619)). ##### Changed - **Drop support for Python 3.7** ([#​7674](python-poetry/poetry#7674)). - Move `poetry lock --check` to `poetry check --lock` and deprecate the former ([#​8015](python-poetry/poetry#8015)). - Change future warning that PyPI will only be disabled automatically if there are no primary sources ([#​8151](python-poetry/poetry#8151)). ##### Fixed - Fix an issue where `build-system.requires` were not respected for projects with build scripts ([#​7975](python-poetry/poetry#7975)). - Fix an issue where the encoding was not handled correctly when calling a subprocess ([#​8060](python-poetry/poetry#8060)). - Fix an issue where `poetry show --top-level` did not show top level dependencies with extras ([#​8076](python-poetry/poetry#8076)). - Fix an issue where `poetry init` handled projects with `src` layout incorrectly ([#​8218](python-poetry/poetry#8218)). - Fix an issue where Poetry wrote `.pth` files with the wrong encoding ([#​8041](python-poetry/poetry#8041)). - Fix an issue where `poetry install` did not respect the source if the same version of a package has been locked from different sources ([#​8304](python-poetry/poetry#8304)). ##### Docs - Document **official Poetry badge** ([#​8066](python-poetry/poetry#8066)). - Update configuration folder path for macOS ([#​8062](python-poetry/poetry#8062)). - Add a warning about pip ignoring lock files ([#​8117](python-poetry/poetry#8117)). - Clarify the use of the `virtualenvs.in-project` setting. ([#​8126](python-poetry/poetry#8126)). - Change `pre-commit` YAML style to be consistent with pre-commit's own examples ([#​8146](python-poetry/poetry#8146)). - Fix command for listing installed plugins ([#​8200](python-poetry/poetry#8200)). - Mention the `nox-poetry` package ([#​8173](python-poetry/poetry#8173)). - Add an example with a PyPI source in the pyproject.toml file ([#​8171](python-poetry/poetry#8171)). - Use `reference` instead of deprecated `callable` in the scripts example ([#​8211](python-poetry/poetry#8211)). ##### poetry-core ([`1.7.0`](https://github.com/python-poetry/poetry-core/releases/tag/1.7.0)) - Improve performance of marker handling ([#​609](python-poetry/poetry-core#609)). - Allow `|` as a value separator in markers with the operators `in` and `not in` ([#​608](python-poetry/poetry-core#608)). - Put pretty name (instead of normalized name) in metadata ([#​620](python-poetry/poetry-core#620)). - Update list of supported licenses ([#​623](python-poetry/poetry-core#623)). - Fix an issue where PEP 508 dependency specifications with names starting with a digit could not be parsed ([#​607](python-poetry/poetry-core#607)). - Fix an issue where Poetry considered an unrelated `.gitignore` file resulting in an empty wheel ([#​611](python-poetry/poetry-core#611)). ##### poetry-plugin-export ([`^1.5.0`](https://github.com/python-poetry/poetry-plugin-export/releases/tag/1.5.0)) - Fix an issue where markers for dependencies required by an extra were not generated correctly ([#​209](python-poetry/poetry-plugin-export#209)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40Mi40IiwidXBkYXRlZEluVmVyIjoiMzYuNTIuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9--> Reviewed-on: https://git.walbeck.it/walbeck-it/docker-python-poetry/pulls/846 Co-authored-by: renovate-bot <bot@walbeck.it> Co-committed-by: renovate-bot <bot@walbeck.it>
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Pull Request Check List
Resolves: #4236