Replacing the URL of a source (e.g. PyPI) at the global level #1632
Comments
|
This is essential for many business uses, not simply when PyPI is unavailable but also in any case where the organization has its own libraries (not uncommon). Note that since some private repo tools (e.g. Nexus) use basic auth URLs, putting the repo URL into a project config file is absolutely inappropriate and a global config or environment variable (e.g. pip.conf, PIP_INDEX_URL) is necessary. |
|
#625 also seems related. Something I tried, which might be nice to make work: |
|
@sdispater, I wonder, if #1070 elaboration of requested feature is usable as is or it needs some update. If so, I volunteer to join effort with one or few others, have a telco and try to move this request on as this is one of two showstoppers for our usage of poetry (the other is managing versions of the resulting package - but this I definitely do not want to discuss here). |
|
a simple patch for ci/cd: # install dependencies from lock file
COPY pyproject.toml poetry.lock /opt/app/
RUN sed -i "s/${origin_pypi_url}/${private_pypi_cache_url}/g" poetry.lock
RUN sed -i "s/${origin_pypi_url}/${private_pypi_cache_url}/g" pyproject.toml
RUN poetry install -vvv |
|
@lovepocky Wouldn't that break the |
|
Poetry needs the url information of a dependency for a private repository. Otherwise, it cannot guarantee the determinism of the lock file since two files, even with the same name, may not have the same information. And if it's a question of not storing the private index credentials in the |
The idea here is the private repo specified as the override will be a PyPI mirror. The packages served by the mirror will be exact copies of the ones from https://pypi.org/, without any modifications. Anything else belongs in a separate repo, with URLs included explicitly. |
I agree. This contributes to usability of
I thought, that the hash above is calculated from the package file content and does not depend on filename and url and thus it allows to check, that two files (even from different urls) provide exactly the same information. Treat source url the way git treats remote configurationThe analogy is not perfect, but it is very close to the use case. git allows to clone a repository, have initial remote configured, but it is easy to change the remote to another git server (e.g. from Github to GitLab or alternative repo name) and all will still work. If I configure the remote badly, git will complain immediately at the first command dealing with remote server, because the commit hashes will not match. I hope, If my alternative private pypi url serves exactly the same packages for my installation (checked by comparing hashes), all shall run as usually, if alternative url provides different package content, it shall fail. Such level of determinism would still provide all the service I appreciate from poetry today and would provide enough flexibility to fit common CI/CD processes. |
|
As above, my use case is a private pypi mirror. At some stage, the public pypi may even be firewalled off, and it doesn't feel right to have to have a different pyproject.toml for use behind a firewall as for in front of it, for the same code. |
|
I fully agree with #1632 (comment). IIRC |
|
@jhbuhrman |
|
I'm a little confused. I would've assumed that this would've been sufficient: poetry config repositories.REPO_NAME https://artifactory.XXX.com/artifactory/api/pypiBut it seems that setting the config globally doesn't negate the need for setting the URL in each |
|
This feature would be very useful for scenarios where jwt for authenticating with the registry is prepended to the beginning of the repo url, AWS codeartifact for example builds repo urls like so: Current setup that requires poetry users to define this as a static url inside of I see the workaround to the effect off: but that still requires me to set the url on every project rather than once and for all for my docker image builder |
|
@swist I think, that in this case you will manage with existing poetry as the part in front of Just configure url in form of |
|
Turns out there's a magic envvar (should have finished reading the docs) that does the auth. Still doesn't quite solve the problem when you're accessing the same repository via different vpc endpoints (for example building your images in multiple clusters but pushing to same registry) - that would still require a rewrite of pyproject.toml (and the lockfile I suppose) at build time |
@swist Do you mind sharing how exactly you're using Poetry with CodeArtifact? Ignoring the rolling creds bit (I'm aware of it), and assuming a hard coded or configured set of creds, that's fine. I'm having a hard time understanding how to get Poetry to work without getting Apologies for piggybacking off this thread, I'd message directly or open an issue but looks like you have something already :) |
|
@m1hawkgsm turns out there are two separate urls you need to use. If you want to pull you need to set the url to be But if you want to push you want do the following cli call: |
|
Is there any update on this? On the one hand, this ticket is still open, on the other hand, this comment seems to hint that this might never be implemented. |
|
✨ This is an old work account. Please reference @brandonchinn178 for all future communication ✨ As another data point, I tried to hack around this by doing find/replace for all mentions of Long story short, it would be great if poetry could allow overriding the PyPI URL, but also allow specifying if poetry needs to use the legacy endpoint for the repository Update: seems like I got a workaround working
@@ -88,6 +88,14 @@
poetry.pool.add_repository(repository, is_default, secondary=is_secondary)
+ # Support alternate PyPI repository
+ # https://github.com/python-poetry/poetry/issues/1632
+ pypi_legacy_repository = config.get("repositories.pypi-legacy")
+ if pypi_legacy_repository:
+ source = dict(pypi_legacy_repository, name="pypi-legacy")
+ repository = self.create_legacy_repository(source, config)
+ poetry.pool.add_repository(repository, True, secondary=False)
+
# Always put PyPI last to prefer private repositories
# but only if we have no other default source
if not poetry.pool.has_default():
|
|
Hello,
and am done for good for all projects. |
|
I am giving up on poetry, it is close to unusable in a shielded development environment with a Nexus, and the maintainer does not seem to understand the frequently brought up issues regarding this. This is sad, because I think it has the greatest dependency-resolver around. |
|
Keep the 👍 votes on the issue coming, it could eventually land in the feature roadmap. It's already in the first page of issues when you sort by 👍 You could also take over or upvote this PR #2074 which, to me, is even better than what this feature request is asking for. |
neersighted
changed the title
neersighted
added
the
area/sources
|
Related: #5958 |
|
I've published poetry-plugin-pypi-mirror, a plugin that allows pypi.org to be replaced by a mirror specified in an environment variable. It's available on PyPI. Hopefully others will find this useful. The plugin satisfies the original subject of this issue ( |
|
I've forked @JacobHenner's plugin: poetry-plugin-use-pip-global-index-url. Instead of specifying the mirror URL in an environment variable, the global.index-url from pip config is used. |
|
@BaxHugh, great to read, did you consider to create a PR in project of @JacobHenner? I like the idea of reusing PIP. Maybe look for the env var and if that one is not set, fall back to |
|
@mfriedenhagen I didn't really consider it, but like you say, it could be good to add it as a feature to the original. But I feel like it should probably be configurable if so. I'm glad you think it's a good feature. |
|
I think people might be seeing (part of why) this is not implemented in Poetry yet -- coming up with a universal design is hard, and whatever we settle on will be stable/supported for a long time to come, with additions/changes being constrained by the first iteration. Hopefully what y'all learn with plugins can be used to inform a well-thought design for Poetry down the line. |
|
Right @neersighted, maybe adding the configuration to and then in |
|
That's pretty much up to plugin authors; Poetry will not reject unknown keys. e.g. # config.toml
[foo]
bar = true |
|
Well, at least I would suggest/document that configuration should be a bit structured ;-) |
@mfriedenhagen I've adopted a similar scheme starting with version 0.2.0 of the plugin. |
|
When I run Please don't deprecate this setting before this issue is solved by having a direct PyPI repo setting. Currently, using |
|
It's disappointing the policy of not respecting pip.conf settings has been decided. For reasons of orthogonality, I work in a corporate environment with our repo access to pypi intermediated by an artifactory repository, with different SSL keys. All of these config things are solved for us - SSL, and custom pypi servers. Having to configure poetry as a special case, on top of configuring Python/pip, it does not help adoption, it creates a barrier to ubiquitous adoption. |
Worked for me, thanks~ For who want to install the plugin with a custom pypi mirror, command can be: python -c "mirror_url='http://mirrors.tencent.com/pypi/simple';from poetry.locations import CONFIG_DIR;import os;cmd='cd {}&&poetry source remove pypi-mirror&&poetry source add --priority=default pypi-mirror {}'.format(CONFIG_DIR,mirror_url);os.system(cmd)"
# For poetry < 1.5 change `--priority=default` to be `--default`
poetry self add poetry-plugin-pypi-mirror |
|
Any update on this? |
|
To me, this and many other poetry issues are resolved sufficiently. By switching to pdm. No more endless discussions on proposing needed features which are not finally implemented. |
|
The industry is increasingly blocking pypi due to cyberecurity supply chain attacks (like this) and regulatory laws. |
Is https://github.com/arcesium/poetry-plugin-pypi-mirror insufficient for your concerns? |
This works soooo good. Thank you so much for literally saves the day! |
and others
Feature Request
Similar to one of the proposals in #1070 (which was recently marked stale), Poetry should allow the user to override the default repository URL (PyPI). The user should be able to do this without modifying pyproject.toml.
In certain environments (e.g. corporate networks) PyPI is unavailable, but a mirror exists. These users should be able to specify the address of the mirror without modifying project files, as the mirror settings are irrelevant to contributors in different environments. Similarly, if a mirror user adds a dependency, the generated lock file should not list the user's mirror as the source. The source should remain the default (which in most cases would refer to standard PyPI).
This feature exists in pipenv, see pypa/pipenv#2075 (where the need for this functionality is described in greater detail) and pypa/pipenv#2281.
The text was updated successfully, but these errors were encountered: