Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Private repository dependency isn't exported with sha256 hash

See original GitHub issue

MD5 hashes aren’t supported by pip, and SHA256 hashes should be preferred for other reasons as well.

However, it appears that poetry doesn’t want to use/calculate the SHA256 hash for a package installed from a private repository.

All my other packages have the right type of hash embedded in the poetry.lock.

    {file = "vnxpy-3.10.0-py3-none-any.whl", hash = "sha256:5887fce95ca9ce304f86f7438b6a8d6b80d14895c8f3810fe6eb33b4b01c428c"},
]
warrant = [
    {file = "warrant-0.6.1-py2.py3-none-any.whl", hash = "sha256:a4099c566086be45d616ed4f58ed1567893ac74de125e201fc89c9023d8adf7d"},
    {file = "warrant-0.6.1.tar.gz", hash = "sha256:749bde7f775c077a64edfe21464654e0a39fc93dd76e27d5d2a61997b6dcaa0a"},
]
wcwidth = [
    {file = "wcwidth-0.1.7-py2.py3-none-any.whl", hash = "sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c"},
    {file = "wcwidth-0.1.7.tar.gz", hash = "sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e"},
]
wrapt = [
    {file = "wrapt-1.11.2.tar.gz", hash = "sha256:565a021fd19419476b9362b05eeaa094178de64f8361e44468f9e9d7843901e1"},
]
xoipy = [
    {file = "xoipy-1.27.1-py3-none-any.whl", hash = "md5:d39b851928a9056177cf8922772ce0b0"},
    {file = "xoipy-1.27.1.tar.gz", hash = "md5:238aa209e50aca1f90ada7a126a10327"},
]

Note xoipy, which has md5s specified. The repository itself provides the SHA256 sums, though I have not yet found the code that actually pulls those down, so I can’t confirm that poetry is receiving them. If/when I do, I will update this report.

Issue Analytics

State:
Created 4 years ago
Reactions:16
Comments:9 (2 by maintainers)

Top GitHub Comments

2reactions

adawallicommented, Dec 10, 2019

Note xoipy, which has md5s specified. The repository itself provides the SHA256 sums, though I have not yet found the code that actually pulls those down, so I can’t confirm that poetry is receiving them. If/when I do, I will update this report.

Did you find any work around @petergaultney ? This is burning my team badly as well…

0reactions

matejspcommented, Jun 15, 2022

Just for reference same issue with Nexus: https://issues.sonatype.org/browse/NEXUS-24127

Top Results From Across the Web

Hosted PyPI repository /simple interface does not provide ...

We are using Sonatype Nexus Repository Manager (OSS 3.21.1-01) to ... the Nexus hosted PyPI repository provide SHA256 hashes in the /simple ...

Repository storage types - GitLab Docs

From hashed path to project name · Navigate to the to the *.git directory. This directory is located in /var/opt/gitlab/git-data/repositories/@hashed/ , where ...

History | Poetry - Python dependency management and ...

Fix an issue where relative paths were encoded into package requirements, instead of a file:// URL as required by PEP 508 (#512). poetry-plugin-export...

Repositories - Composer

Repositories are only available to the root package and the repositories defined in your dependencies will not be loaded. Read the FAQ entry...

Python poetry install failure - invalid hashes - Stack Overflow

0) • Installing numpy (1.22.2): Failed RuntimeError Invalid hashes (sha256:01d6b62184e55367ce7d770bd87d97a6cfaf783ff7ba8328e7473a339fe19807) for ...