poetry tries to reinstall from git, even if it's already installed

I pinned down the problem. The issue is that pip freeze always stores the full commit hash as reference, but the lock file stores whatever reference is set in pyproject (tag/branch/reference).

Instead the reference should always be normalized to the full commit hash (that's also what yarn does), so that regardless of what you specify (tag, branch, etc) the lock only stores the resolved full hash of that reference

actually, regardless of that, which still holds true, doing poetry install will always do a git clone, even if it's not strictly necessary

but the lock file stores whatever reference is set in pyproject (tag/branch/reference).

If that's actually the case it's a bug since Poetry should store the exact commit after resolving.

cool, thanks for looking into that. it doesn't afaik. but the problem is that it still tries to clone anyway, even if it stores the right reference

Is there any workaround for this problem? I tried using the rev argument to specify an exact full git SHA, but that did not fix it.

Through @itajaja's analysis, two bugs can be pointed out:

1. A git dependency will always be cloned again (see version 0.12.17: poetry/installation/pip_installer.py#L215, also valid for current master @ f4803e91bca440e6f4af6ad54e396d01c024a76f). This is unrelated to any version constraints.
2. The git dependency does not get locked properly if a constraint is explicitly set. Whatever is defined in the branch, rev, or tag arguments gets copied as-is as the package.source.reference instead of the full commit SHA-1.

The first bug is well described in OP, but I believe the second one should have its own space.

I cannot reproduce the behaviour since 1.0.0b4 (tested up to and including 1.0.0b9), I think it has been fixed with bf2d515a.

@itajaja Can you still reproduce?

nice, I'll try. I am still using <1 but I can temporarily switch to beta

It shoud be fixed in now that version 1.0.0 is released. Closing.

This is still happening for me. When I run poetry install and run it a second time, all my git repositories are cloned.
For repositories for example:

[tool.poetry.dependencies]
python = "^3.7"
A = { git = "https://github.com/XXX/XXX.git", tag="v0.1.5" }
(5 more)

I keep seeing

Package operations: 0 installs, 6 updates, 0 removals

where the 6 updates are the git repositories.

With git, I am using "insteadOf" global option:

git config --global url."https://SECRET_KEY:@github".insteadOf https://github

I am not sure if that could be a culprit.
Has this failed for anyone else?

(Thanks for the wonderful library as well, well done! :-) )

I cannot reproduce anymore (just tried again with 1.0.2).

Can you please give a minimum reproducible example?
What version of Poetry are you using?

I will try to send one a bit later today.
I am using 1.0.0 as well, so I will try to upgrade.

I do have one question. Is the github url used to compute the hash as well?
Because in my toml file I have a different git url from what actually gets downloaded (since I have setup git to add my API key in the url).

Anyway, I'll respond later today. Thanks so much for the quick response!

ok, here's a working example:

[build-system]
requires = [ "poetry>=1.0.0",]
build-backend = "poetry.masonry.api"

[tool.poetry]
name = "test_lib"
version = "0.0.1"
description = "Test Lib"
authors = [ "foo [email protected]>",]
readme = "README.md"
repository = "https://github.com/foo/foo"
homepage = "https://github.com/foo/foo"

[tool.semantic_release]
version_variable = "version.py:version"
version_source = "commit"
upload_to_pypi = false
commit_message = "semantic release version change commit"

[tool.poetry.dependencies]
python = "^3.7"
feedparser = { git = "https://github.com/kurtmckee/feedparser", tag = "v5.1.3" }


[tool.poetry.dev-dependencies]

[tool.poetry.scripts]

Then calling twice:

XXXXXXX$ poetry install
Creating virtualenv test-lib-1FOm0thz-py3.7 in /XXXXX/pypoetry/virtualenvs
Updating dependencies
Resolving dependencies... (5.4s)

Writing lock file


Package operations: 1 install, 0 updates, 0 removals

  - Installing feedparser (5.1.3 73f60e6)
XXXX$ poetry install
Installing dependencies from lock file


Package operations: 0 installs, 1 update, 0 removals

  - Updating feedparser (5.1.3 4056bbb -> 5.1.3 73f60e6)

my poetry version:

$ poetry version
Poetry version 1.0.2

Do you encounter the same issues? Thanks so much for the response!

Thanks for the MRE.

I can reproduce your example now.
You found a different bug than we had, due to how git handled ~signed~ annotated tags.

To summarise:

• The (annotated) tag v5.1.3 itself is a git object with the short sha 73f60e6
• The tree pointed to by the tag has the short sha 4056bbb

The lock file refers to the tag object, because it is what v5.1.3 resolves to directly.
Since the checked-out tree has a different sha, poetry thinks it is not up-to-date (the references are different) and then re-install it.

I think we need a new issue for this.

Ah that is great, thank you so much for the investigation! I have created issue #1916.