Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
poetry.lock hashes not checked when running poetry install
See original GitHub issue-
I am on the latest Poetry version.
-
I have searched the issues of this repo and believe that this is not a duplicate.
-
If an exception occurs when executing a command, I executed it again in debug mode (
-vvvoption). -
OS version and name: Ubuntu Bionic (within Docker)
-
Poetry version: 1.0.5
-
Link of a Gist with the contents of your pyproject.toml file: https://gist.github.com/slai/9d0d442fe7e4f4ea04e8f658b675192a#file-poetry_no_hash_check-dockerfile-L22-L33
Issue
It appears that Poetry does not check the hashes of the packages in poetry.lock when installing packages using poetry install.
The Dockerfile in this gist (https://gist.github.com/slai/9d0d442fe7e4f4ea04e8f658b675192a) demonstrates the issue. It runs poetry lock, mangles the hashes in poetry.lock, then runs poetry install. This succeeds, with no errors.
I would expect poetry install to fail in this case, or at least print a warning for packages where the hash does not match.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:73
- Comments:23 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
List of PRs related to this issue:
Can we merge one of the valid ones? Not checking the hashes in
poetry.lockposes a significant security problem.In particular python-poetry/poetry-core#159 + #3885 are meant to be fixed together from what I understand. The other PRs can be closed.