poetry 1.2.0a1: AttributeError when installing package from secondary repo

[maksbotan]

• I am on the latest Poetry version.

• I have searched the issues of this repo and believe that this is not a duplicate.

• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• OS version and name: macOS 10.15

• Poetry version: 1.2.0a1

• Link of a Gist with the contents of your pyproject.toml file:

Issue

Hi! I'm testing new 1.2.0a1 version as an early-adopter to find potential issues.

My pyproject.toml defines a secondary repo:

[[tool.poetry.source]]
name = "XXX"
url = "https://pypi.XXX.YYY"
secondary = true

And I have one dependency which comes from this private pypi repo. Poetry 1.1.3 installed it without errors, but on 1.2.0a1 I get this stacktrace:

  • Installing FOOBAR (1.7.2): Pending...
  • Installing FOOBAR (1.7.2): Failed

  Stack trace:

  5  ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/executor.py:244 in _execute_operation
      242│ 
      243│             try:
    → 244│                 result = self._do_execute_operation(operation)
      245│             except EnvCommandError as e:
      246│                 if e.e.returncode == -2:

  4  ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/executor.py:321 in _do_execute_operation
      319│             return 0
      320│ 
    → 321│         result = getattr(self, f"_execute_{method}")(operation)
      322│ 
      323│         if result != 0:

  3  ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/executor.py:462 in _execute_install
      460│ 
      461│     def _execute_install(self, operation: Union[Install, Update]) -> int:
    → 462│         status_code = self._install(operation)
      463│ 
      464│         self._save_url_reference(operation)

  2  ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/executor.py:498 in _install
      496│             archive = self._download_link(operation, Link(package.source_url))
      497│         else:
    → 498│             archive = self._download(operation)
      499│ 
      500│         operation_message = self.get_operation_message(operation)

  1  ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/executor.py:648 in _download
      646│         link = self._chooser.choose_for(operation.package)
      647│ 
    → 648│         return self._download_link(operation, link)
      649│ 
      650│     def _download_link(self, operation: Union[Install, Update], link: Link) -> Link:

  AttributeError

  'Link' object has no attribute 'name'

  at ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/executor.py:683 in _download_link
      679│                 ).hash()
      680│             )
      681│             if archive_hash not in {f["hash"] for f in package.files}:
      682│                 raise RuntimeError(
    → 683│                     f"Invalid hash for {package} using archive {archive.name}"
      684│                 )
      685│ 
      686│             self._hashes[package.name] = archive_hash
      687│ 

If you need any additional info to better understand the issue, I'll be happy to provide it.

[maksbotan]

If I delete poetry.lock completely (which was generated with 1.1.3 and then updated with 1.2.0a1 by poetry lock --no-update), I get this error:

  • Installing FOOBAR (1.10.0): Pending...
  • Installing FOOBAR (1.10.0): Failed

  Stack trace:

  6  ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/executor.py:244 in _execute_operation
      242│ 
      243│             try:
    → 244│                 result = self._do_execute_operation(operation)
      245│             except EnvCommandError as e:
      246│                 if e.e.returncode == -2:

  5  ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/executor.py:321 in _do_execute_operation
      319│             return 0
      320│ 
    → 321│         result = getattr(self, f"_execute_{method}")(operation)
      322│ 
      323│         if result != 0:

  4  ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/executor.py:462 in _execute_install
      460│ 
      461│     def _execute_install(self, operation: Union[Install, Update]) -> int:
    → 462│         status_code = self._install(operation)
      463│ 
      464│         self._save_url_reference(operation)

  3  ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/executor.py:498 in _install
      496│             archive = self._download_link(operation, Link(package.source_url))
      497│         else:
    → 498│             archive = self._download(operation)
      499│ 
      500│         operation_message = self.get_operation_message(operation)

  2  ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/executor.py:646 in _download
      644│ 
      645│     def _download(self, operation: Union[Install, Update]) -> Link:
    → 646│         link = self._chooser.choose_for(operation.package)
      647│ 
      648│         return self._download_link(operation, link)

  1  ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/chooser.py:61 in choose_for
       59│         """
       60│         links = []
    →  61│         for link in self._get_links(package):
       62│             if link.is_wheel and not Wheel(link.filename).is_supported_by_environment(
       63│                 self._env

  RuntimeError

  Retrieved digest for link FOOBAR-1.10.0.tar.gz(md5:b4d0805ea057c9f46d19258708f8bd56) not in poetry.lock metadata ['sha256:771b5a7e4368d3bf2f003cc27745faccdd62de7fa9a1a0c332b5d181d8851376', 'sha256:2f5c446e2b9ff04aab901e465349def8a6b0bc2a3029d6ef933b95e1473ec485']

  at ~/Library/Application Support/pypoetry/venv/lib/python3.8/site-packages/poetry/installation/chooser.py:110 in _get_links
      106│ 
      107│             selected_links.append(link)
      108│ 
      109│         if links and not selected_links:
    → 110│             raise RuntimeError(
      111│                 f"Retrieved digest for link {link.filename}({h}) not in poetry.lock metadata {hashes}"
      112│             )
      113│ 
      114│         return selected_links

[TribuneX]

We are seeing the same issue with one of our projects using 1.2.0a1

[iwoloschin]

I saw the same issue, if I manually add the sha256 hash to poetry.lock it appears to work. I'm not sure why, but the one package I'm trying to install from a secondary repo is the only one in poetry.lock to have an md5sum instead.

[paulmelnikow]

I've opened a PR to generate this error message properly: #4212.

I'm experiencing the underlying issue in Poetry 1.2.0a1. I'm installing a package from a private Gemfury repository.

Gemfury's legacy PyPI API returns only md5 hashes, not sha256 hashes. (By comparison, JFrog had a similar limitation until recently.) My lockfile contains only sha256 hashes, hence the mismatch error at install time.

In contrast, Poetry 1.1.7 works fine. A lockfile generated by 1.1.7 also contains the sha256 hashes, yet installation works fine.

Is it possible this is a regression caused by the changes in #2958?

[rgmz]

I'm experiencing the underlying issue in Poetry 1.2.0a1. I'm installing a package from a private Gemfury repository.
In contrast, Poetry 1.1.7 works fine. A lockfile generated by 1.1.7 also contains the sha256 hashes, yet installation works fine.

We're seeing the same issue with a private Nexus Repository repository. Switching to 1.1.7 resolves the issue.

$ poetry add private-package
Using version ^1.2.3 for private-package

Updating dependencies
Resolving dependencies... (0.5s)

Package operations: 1 install, 0 updates, 0 removals

  • Installing private-package (2.2.1): Failed

  RuntimeError

  Retrieved digest for link private-package-1.2.3.tar.gz(md5:670c37d9f05bed7839ea066449506deb) not in poetry.lock metadata ['sha256:3bd4e2a33293ff39aaaa91db332b2dd4c0c7700e1e006c9503fd5d83b36c05a1', 'sha256:6aa65bf07a9cfe59dab158b6b20a5e3aa8042b16ca7a9812d2bdcdf37e3a486a']

  at ~/Library/Caches/pypoetry/virtualenvs/project-KWD0UkE9-py3.9/lib/python3.9/site-packages/poetry/installation/chooser.py:110 in _get_links
      106│ 
      107│             selected_links.append(link)
      108│ 
      109│         if links and not selected_links:
    → 110│             raise RuntimeError(
      111│                 f"Retrieved digest for link {link.filename}({h}) not in poetry.lock metadata {hashes}"
      112│             )
      113│ 
      114│         return selected_links


Failed to add packages, reverting the pyproject.toml file to its original content.

[covuworie]

Seeing a similar issue with poetry 1.2.0a1 with python 3.8.2 when a new project is created with the following minimal pyproject.toml file:

[build-system]
requires = ["poetry-core>=1.0.0"]
build-backend = "poetry.core.masonry.api"

[tool.poetry]
name = "example"
version = "0.1.0-alpha.0"
description = "An example"
authors = ["First Last <[email protected]>"]

Running poetry install or poetry lock gives the following error:

Skipping virtualenv creation, as specified in config file.
Updating dependencies
Resolving dependencies... (0.0s)

  AttributeError

  can't set attribute

  at /opt/poetry/venv/lib/python3.8/site-packages/poetry/packages/dependency_package.py:38 in __setattr__
       34│     def __setattr__(self, key: str, value: Any) -> None:
       35│         if key in {"_dependency", "_package"}:
       36│             return super().__setattr__(key, value)
       37│ 
    →  38│         setattr(self._package, key, value)
       39│ 
       40│     def __str__(self) -> str:
       41│         return str(self._package)

Note there are no dependencies in the pyproject.toml file. In addition to standard install of python, the only other package installed is poetry-dotenv-plugin and it's dependencies. Here is a pip list if needed:

appdirs              1.4.4
CacheControl         0.12.6
cachy                0.3.0
certifi              2021.5.30
cffi                 1.14.6
charset-normalizer   2.0.4
cleo                 1.0.0a4
crashtest            0.3.1
cryptography         3.4.7
distlib              0.3.2
entrypoints          0.3
filelock             3.0.12
html5lib             1.1
idna                 3.2
importlib-metadata   4.6.3
jeepney              0.7.1
keyring              23.0.1
lockfile             0.12.2
msgpack              1.0.2
packaging            20.9
pexpect              4.8.0
pip                  21.1.3
pkginfo              1.7.1
poetry               1.2.0a1
poetry-core          1.1.0a6
poetry-dotenv-plugin 0.1.0a2
ptyprocess           0.7.0
pycparser            2.20
pylev                1.4.0
pyparsing            2.4.7
python-dotenv        0.19.0
requests             2.26.0
requests-toolbelt    0.9.1
SecretStorage        3.3.1
setuptools           41.2.0
shellingham          1.4.0
six                  1.16.0
tomlkit              0.7.2
urllib3              1.26.6
virtualenv           20.4.4
webencodings         0.5.1
zipp                 3.5.0

[paulmelnikow]

I just started seeing this can't set attribute too. This is separate from the issue being documented here. It's the same version of Poetry I was using before, so I imagine it's related to one of the dependencies.

[covuworie]

@paulmelnikow Thanks. Would like me to create a separate issue then? I thought this issue was similar and just didn't want to create a duplicate.

[paulmelnikow]

I'm not a maintainer, but I've been meaning to report the "can't set attribute" error and do think it belongs in its own issue.

[covuworie]

Oh sorry for the confusion. I'll extract it as a separate issue and link this as a related issue.

[kaos]

I ran across this, and the root is that my package provided only a "md5" hash, not a "sha256" one, resulting in a hash verification error. I have a patched setup that fixes this, working on a set of PRs to address it.

[lukaszsamson]

Having the same issue on poetry 1.1.9. One of the packages uses md5 hash. Switching to sha256 in lockfile does not help

  RuntimeError

  Retrieved digest for link my_dep-0.0.2-py3-none-any.whl(md5:somemd5hash) not in poetry.lock metadata ['sha256:somesha256hash']

  at ~/.poetry/lib/poetry/installation/chooser.py:115 in _get_links
      111│ 
      112│         if links and not selected_links:
      113│             raise RuntimeError(
      114│                 "Retrieved digest for link {}({}) not in poetry.lock metadata {}".format(
    → 115│                     link.filename, h, hashes
      116│                 )
      117│             )
      118│ 
      119│         return selected_links

[paulmelnikow]

This regression appeared in Poetry 1.1.7/1.1.9 two days ago when poetry-core 1.0.5 was released. Downgrading to poetry-core 1.0.4 is a workaround.

[lukaszsamson]

@paulmelnikow how to do that?
I installed poetry via curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python - and don't see any poetry-core in $HOME/.poetry/

[Faylixe]

This regression appeared in Poetry 1.1.7/1.1.9 two days ago when poetry-core 1.0.5 was released. Downgrading to poetry-core 1.0.4 is a workaround.

I confirm, all our internal package installs are broken since today, pinning poetry-core==1.0.4 fixed the problem. Thanks for the solution @paulmelnikow <3.

[pcarn]

I had the same issue, pinning poetry-core to 1.0.4 fixed it.

Is there a fix in progress, or does an issue need to be logged to poetry-core?

[prajal55]

I was using Poetry 1.1.6 and it was working fine probably with poetry-core 1.0.4. Now that poetry-core got updated to 1.0.5, I started getting same errors on Poetry 1.1.6. So, poetry-core is getting updated independently of Poetry version perhaps.

[kurbanowski]

pip install poetry-core==1.0.4 is a temporary solution, had the same issue and it worked for me.
Releasing private pypi package to gemfury.
` AttributeError

'Link' object has no attribute 'name'

at /usr/local/lib/python3.9/site-packages/poetry/installation/executor.py:620 in _download_link

  615│                 ).hash()
  617│             )
  618│             if archive_hash not in {f["hash"] for f in package.files}:
  619│                 raise RuntimeError(
→ 620│                     "Invalid hash for {} using archive {}".format(package, archive.name)
  621│                 )
  622│
  623│         return archive
  624│`

[alexanderluiscampino]

Just to add my 2 cents. I have poetry 1.1.6, and if you re-install it, it will go to poetry-core 1.0.5 which has this defect.

This in my opinion should not be the case. Also, how can we go about and get poetry-core fixed ?

[pietermarsman]

I've got the same issue when installing torch 1.10.0.

$ poetry install
Installing dependencies from lock file

Package operations: 36 installs, 0 updates, 0 removals

  • Installing torch (1.10.0): Failed

  AttributeError

  'Link' object has no attribute 'name'

  at ~/.poetry/lib/poetry/installation/executor.py:632 in _download_link
      628│                 raise RuntimeError(
      629│                     "Invalid hashes ({}) for {} using archive {}. Expected one of {}.".format(
      630│                         ", ".join(sorted(archive_hashes)),
      631│                         package,
    → 632│                         archive.name,
      633│                         ", ".join(sorted(hashes)),
      634│                     )
      635│                 )
      636│ 

It does work with torch 1.7.1.

(Sorry, bit arbitrary version comparison, but I found out about this on accident and I want to leave the info here for others that have similar problems).

[pietermarsman]

I was (finally!) able to solve this for torch 1.10.0. I removed poetry completely (using locate poetry to find everything) and after a fresh install it worked again.

For reference: these PR and SO post helped me.

Bash commands I executed to uninstall poetry completely:

python3 get-poetry.py --uninstall
POETRY_UNINSTALL=1 python3 get-poetry.py
pip3 uninstall poetry
rm -r .local/share/pypoetry
rm .cache/pypoetry -r
rm .local/bin/poetry

[Cielquan]

I get the same issue too with 1.2.0a2 if I install via the new install_poetry.py script. If I install poetry into a venv with pip install poetry==1.2.0a2 I do not get this issue somehow. But I then get warnings when using poetry:

SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.

And I do not use a secondary repo at all.

[kyleaclark]

For what it's worth, the hash issue listed below from a failed docker build has been resolved as of Poetry 1.1.10. Also confirmed working as expected with versions 1.1.11, 1.1.12, and 1.1.13.

The issue was known to break our builds using Poetry 1.1.5 and 1.1.9 (did not test other versions in between). Otherwise, we had to revert to an older version 1.0.9 to get around the hash issue.

  RuntimeError

  Invalid hash for package-name (0.1.1) using archive package-name-0.1.1-py3-none-any.whl

  at /opt/poetry/venv/lib/python3.7/site-packages/poetry/installation/executor.py:620 in _download_link
      616│                 ).hash()
      617│             )
      618│             if archive_hash not in {f["hash"] for f in package.files}:
      619│                 raise RuntimeError(
    → 620│                     "Invalid hash for {} using archive {}".format(package, archive.name)
      621│                 )
      622│
      623│         return archive 

[dimbleby]

This was fixed in #4531, I reckon

[neersighted]

Agreed, I cannot reproduce on current master. Please request a re-open if this is still affecting you.

[sherrywang31]

I use a secondary repo and I'm having this issue with 1.2.0:

• Installing mypackage (0.10.0): Failed

  RuntimeError

  Retrieved digest for link mypackage-0.10.0-py3-none-any.whl(md5:f1c63397a2b6718593315a06a0a73579) not in poetry.lock metadata ['sha256:d1d3de1bcf913df45c3b8a1d5b1d8eaba3207140785b733b24568552b192e4ce', 'sha256:e887c6b1b3d15157a167a7c3d50fce03d31a7ae9df73c647cc24d1f7e7bf2fbf']

  at ~/.local/share/pypoetry/venv/lib/python3.9/site-packages/poetry/installation/chooser.py:144 in _get_links
      140│
      141│             selected_links.append(link)
      142│
      143│         if links and not selected_links:
    → 144│             raise RuntimeError(
      145│                 f"Retrieved digest for link {link.filename}({h}) not in poetry.lock"
      146│                 f" metadata {hashes}"
      147│             )
      148│

reverting back to 1.1.15 solved the issue.

[vad]

@neersighted same issue on poetry 1.2.0 with packages from a local nexus. Can you reopen it?

[dimbleby]

This issue describes an attribute error in code that no longer exists, closed is definitely the right state for it.

You want #6301 maybe

[vmgustavo]

Same issue on every version I tried after 1.1.15

Retrieved digest for link package-x.y.z.tar.gz(md5:xxxx) not in poetry.lock metadata ['sha256:xxxx', 'sha256:xxxxx']

[neersighted]

Please refer to #6301 instead of commenting on resolved issues.