Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Repository source precedence order issue #5959

Closed
3 tasks done
elachere opened this issue Jul 6, 2022 · 4 comments
Closed
3 tasks done

Repository source precedence order issue #5959

elachere opened this issue Jul 6, 2022 · 4 comments
Labels
kind/question User questions (candidates for conversion to discussion)

Comments

@elachere
Copy link

elachere commented Jul 6, 2022
edited
Loading

Issue

I'm trying to install dependencies both from pypi and a private repo, here's my original pyproject.toml, following the official documentation:

[tool.poetry]
name = "project_name"
version = "0.1.0"
description = ""
authors = ["Me <[email protected]>"]

[[tool.poetry.source]]
name = "private"
url = "https://url/to/private_repo"
secondary = true

[tool.poetry.dependencies]
python = "^3.9"
Flask = "^2.1.2"
private_package = "*"

[tool.poetry.dev-dependencies]
black = "^22.6.0"
mypy = "^0.961

[build-system]
requires = ["poetry-core>=1.0.0"]
build-backend = "poetry.core.masonry.api"

However, running poetry install results in poetry trying to install every requirement from the private repo, at least that's what I understand from the resulting traceback:

❯ poetry install
Updating dependencies
Resolving dependencies... (0.2s)

  RepositoryError

  403 Client Error: Forbidden for url: https://url/to/private_repo/mypy/

  at ~/.local/lib/python3.9/site-packages/poetry/repositories/legacy_repository.py:393 in _get
      389│             if response.status_code == 404:
      390│                 return
      391│             response.raise_for_status()
      392│         except requests.HTTPError as e:
    → 393│             raise RepositoryError(e)
      394│ 
      395│         if response.status_code in (401, 403):
      396│             self._log(
      397│                 "Authorization error accessing {url}".format(url=url), level="warn"

As you can see, it seems that poetry is trying to install mypy from https://url/to/private_repo/mypy/.

So far I have tried to:

  • explicitly set the source for each dependency in the pyproject.toml file (e.g: mypy = {version = "^0.961", source = "pypi"}): then the same thing happens with subdependencies
  • set the private repository url via the command poetry config repositories.private https://url/to/private_repo: does not seem to have any impact
  • all possible combinations of the default and secondary keys for [[tool.poetry.source]]: nothing helps
  • adding the private dependency with poetry add private_package --source private
  • adding explicitly a source to official pypi and set it as default
  • I clear the cache when trying something

N.B: the private repo I'm trying to install from does not require any kind of authentication ( I can install from it with pip install -i https://url/to/private_repo private_package)

Experiencing this behaviour with versions:

  • 1.1.4
  • 1.1.3
  • 1.1.2
@elachere elachere added kind/bug Something isn't working as expected status/triage This issue needs to be triaged labels Jul 6, 2022
@dimbleby
Copy link
Contributor

Per https://python-poetry.org/docs/master/repositories#secondary-package-sources

All package sources (including secondary sources) will be searched during the package lookup process.

I'm not sure that this is what people necessarily want: but it is the documented and expected behaviour.

I think that what a lot of people expect is that: if poetry finds a package in a primary repository, then it doesn't bother to look in any secondary repositories.

That wouldn't be very hard to arrange - relevant code is here - but probably trying to change it would provoke some discussion...

@dimbleby dimbleby mentioned this issue Jul 10, 2022
Closed
@chronossc
Copy link

I have hit this problem with s3pypi private repo. In our case when we access a non existent package in s3pypi repo, we receive 403, wich is a authentication problem. But, return 403 instead 404 can be a security measure for private repos in order to avoid bots to know which packages doesn't exist in repos.

@JacobHayes JacobHayes mentioned this issue Oct 5, 2022
Closed
3 tasks
@neersighted neersighted added kind/question User questions (candidates for conversion to discussion) and removed kind/bug Something isn't working as expected status/triage This issue needs to be triaged labels Oct 5, 2022
@neersighted
Copy link
Member

This is currently as designed -- see #6713 for a proposal to introduce the behavior you desire/expect.

@neersighted neersighted closed this as not planned Won't fix, can't repro, duplicate, stale Oct 5, 2022
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 1, 2024

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/question User questions (candidates for conversion to discussion)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chronossc @dimbleby @neersighted @elachere