poetry install requests unlock keyring, even though it is not needed
I gather that keyring integration was added as a convenience feature so that you can publish packages using keys stored in your keyring. This ticket describes that feature:
https://github.com/python-poetry/poetry/issues/210
But it appears that poetry tries to access the keyring even for install operations. In one of my first times using poetry - I, as a security paranoid person, decided to abort installation of a py package I wanted because the installation process seemed to be wanting to access my keyring.
I think people should be careful about granting programs access to things they should not need to access. This behavior is an example of a problem that makes that hard to achieve.
For me, I worked around the problem by pip uninstalling the 'keyring' package from that virt env.
In the future, I think it would be beneficial to poetry's adoption and to its users, if users are not prompted for keyring unless keys should actually be needed (for a 'publish' operation).
Thanks! I'm happy to be trying out poetry.
wahuneke
All 5 comments
Do you have private repositories present in your pyproject.toml file?
I think you are affected by the issue that is fixed by #1892. The fix will be available in the next bug fix release.
sdispater
on 19 Jan 2020
I was affected by something similar on the latest release (1.0.5), but I'm not sure if it's entirely the same.
The keyring will be hit for private repos if there is an auth.toml with only the username set, even if credentials are provided via environment variables.
I believe the relevant code is here. In this case, auth will be truthy, causing the keyring path to be taken.
In our case, the "fix" was to remove any leftover auth.toml files in the environment. Manually uninstalling keyring had the same effect.
I was wondering your thoughts on adding a config variable that would prevent any keyring hits altogether (by e.g. unconditionally marking the keyring as unavailable). This would have largely the same effect as @wahuneke's workaround, but might be a bit cleaner for CI pipelines and such.
colatkinson
on 2 Apr 2020
+1 to this. I am facing similar issue while integrating poetry with Jenkins. Even though private repo credentials were provided via environment variables, poetry still tries to look into keyring for credentials.
asandeep
on 19 Apr 2020
+1 running into this issue while working over ssh
dariobig
on 4 Jun 2020
fwiw, I came across this issue and agree with the concerns mentioned above.
But fwiw, I came here due to a issue with my distro that shows a dependency mismatch on keyring. keyring==18 is required (circa 2019), where as my distro has keyring-21.2 available, not sure without looking on the compatibility issues, but thought I'd mention if in case that can be relaxed....
$ poetry init
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 583, in _build_master
ws.require(__requires__)
File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 900, in require
needed = self.resolve(parse_requirements(requirements))
File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 791, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (keyring 21.2.1 (/usr/lib/python3.8/site-packages), Requirement.parse('keyring==18.*,>=18.0.0'), {'poetry'})
bdowling
on 18 Jun 2020
Related issues
kierun
路
3Comments
thejohnfreeman
路
3Comments
tonysyu
路
3Comments
alexlatchford
路
3Comments
jeremy886
路
3Comments
Most helpful comment
I was affected by something similar on the latest release (1.0.5), but I'm not sure if it's entirely the same.
The keyring will be hit for private repos if there is an
auth.tomlwith only the username set, even if credentials are provided via environment variables.I believe the relevant code is here. In this case,
authwill be truthy, causing the keyring path to be taken.In our case, the "fix" was to remove any leftover
auth.tomlfiles in the environment. Manually uninstalling keyring had the same effect.I was wondering your thoughts on adding a config variable that would prevent any keyring hits altogether (by e.g. unconditionally marking the keyring as unavailable). This would have largely the same effect as @wahuneke's workaround, but might be a bit cleaner for CI pipelines and such.