-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Poetry refuses to install package with correct hash #4523
Comments
I have tried to re-create the lock file without any difference in behavior. |
This seems to be a bug in poetry-core 1.0.5. With poetry-core 1.0.4 packages with md5 hashes are installed normally. |
@danygielow looks like when trying to install
1.1.8 poetry.lock file locks 1.0.4 https://github.com/python-poetry/poetry/blob/1.1.8/poetry.lock#L626 |
@orShap The locked versions in poetry.lock are only used for poetry install. If you install poetry via pip the version constraints in pyproject.toml are used. In this case its >=1.0.4, <1.1 because it uses a tilde requirement. You could try: |
according to pep-0503 , we should support all the hash functions in |
thanks! you're right |
Having a similar issue for private hosted pypi after upgrading to 1.1.9:
Could this be linked? Can be mitigated by following the comment of @danygielow
|
Hitting the same issue but only for packages from our internal private Gemfury pypi repo. Poetry comes with standard CircleCI images and I do not have the control over the version that is installed there. Thanks to this issue, our entire stack is currently broken. Update: |
It's not the bug in poetry-core 1.0.5, the problem always exists, but it happened that Package.clone omits files of Package, so the branch in executor.py#L673 is always passed. After python-poetry/poetry-core@3f718c5 , Package.clone use deepclone instead now, so the issue occurs |
Hello everyone similar problem here, I have a dependency to a private package published through a private repository. That is what I have in my poetry.lock file:
With poetry 1.1.8 everything is fine and the dependency can be installed with a poetry install, but with poetry 1.1.9 the installation (poetry install) fails with:
I have cleared the poetry cache to make the tests I had to rollback to 1.1.8 to make it work |
If you want a way to downgrade the "jailed" version of poetry core in a one-liner source $(dirname $(readlink -f $(which poetry)))/activate \
&& pip install poetry-core==1.0.4 \
&& deactivate |
rolled back to an old build image with poetry==1.1.8 would love to see this fixed asap so we can keep up with latest. |
Works toward resolution of python-poetry/poetry#4523 - [X] Added tests for changed code - [X] Added documentation for changed code Documentation is at least equivalent to the existing stuff. - Implement most of the "guaranteed" hashes as per PEP 503 - Leave out shake, because they're variable length - Feel it's unlikely anyone's repo manager is using these
I can't reproduce the issue. All of the hashes in my However some of my colleagues on the very same private Python index can reproduce the issue as for some reason they have MD5 hashes in the lockfile. |
It seems that clearing the Poetry cache (and deleting the generated Try:
|
beware: This will update all of the packages to the latest the resolver can resolve. |
Nexus here, and this did not work for us. Followed these steps exactly and had the exact same result as before. Still getting md5 hashes. poetry 1.1.9, poetry-core 1.0.5. |
We (waveapps.com) have this problem too. All packages from our private repo fail to install with the same error as above. The above workaround does not work for me. |
Why doesn't the following work for you?
|
That will work. However doing this means that we have to package and build dozens of packages to get started. This problem just started happening TODAY. It means that every build that pulls one of our custom python libs (most of them) will fail. |
Yes, the same problem just started affecting us today as well. Thankfully, I ship poetry in a base image to all of my other images, so the fix was in one place. The poetry installer doesn't allow you to lock in core unfortunately. I haven't tried pip installing poetry, but I really like to "jail" poetry, which is why I really like the installer script.... |
(new issue is #6301) |
Presumably poetry.lock should be autogenerated by Poetry itself and not manually edited. However there appears to be some bug(s) introduced in recent versions of Poetry causing it to not install dependencies correctly despite their hashes being correct (see: python-poetry/poetry#4523). The issue OP's exact problem was also encountered using the provided poetry.lock file on Poetry versions 1.1.7 & 1.1.13. This commit works around this issue, till upstream fixes.
Got a similar issue (poetry 1.3.2) today on numpy: • Updating numpy (1.21.1 /Users/cglacet/Library/Caches/pypoetry/artifacts/46/00/22/7edac5aaf3cb24c4b0d07e36cf6dd2bfd8de15c759075430fd7e428f42/numpy-1.21.1.zip -> 1.24.2): Failed
RuntimeError
Hash for numpy (1.24.2) from archive numpy-1.24.2-cp310-cp310-macosx_10_9_x86_64.whl not found in known hashes (was: sha256:ee472695253c34bc93406ce542ee02b2f0e9a3e32c9f51b0089bbb7bb9218e71)
at ~/Library/Application Support/pypoetry/venv/lib/python3.10/site-packages/poetry/installation/executor.py:673 in _validate_archive_hash
669│ archive_hash: str = "sha256:" + get_file_hash(archive)
670│ known_hashes = {f["hash"] for f in package.files}
671│
672│ if archive_hash not in known_hashes:
→ 673│ raise RuntimeError(
674│ f"Hash for {package} from archive {archive.name} not found in"
675│ f" known hashes (was: {archive_hash})"
676│ )
677│ I've tried both: poetry cache clear pypi:numpy:1.21.1
poetry cache clear pypi:numpy:1.24.2 But got the same error. On the other hand it works with numpy |
I'm facing this error installing torchrl using
None of above approaches worked for me:( |
@alirezanobakht13 Please try this:
|
Recently had a similar issue with the What helped:
Just clearing the cache isn't working. |
Same issue for |
Happens randomly for us in CI pipelines as well quite often (multiple times a day), with random libraries. Retrying usually fixes it, but it's pretty annoying to have to do that. We may have to wrap it with a retry block |
still there I agree, cannot install some packages from for example Sonar Nexus Repository Manage cause it compare sha256 to md5 |
Why is this closed? The issue is clearly still present. |
Same issue for poetry 1.5.1. Happens in our CI:
|
Add
|
does anyone know how to resolve it/?? |
In OSX, |
Could be great to have a way to force a hash from the Am talking about something like : mylib = { git="https://github.com/sanix-darker/mylib", branch="fix/this-and-that", hash="this-hash" } for example. Am on btw, was just wondering... is there any roadmap track for this idea ? (could be really great tbh). EDIT: CLEAN_CMD="rm -rf ~/.cache/pypoetry/ && poetry cache clear pypi --all"
NOT_THIS_HASH="hash-i-want-to-get-rid-of"
for i in {1..1000}; do
$(CLEAN_CMD)
grep -q "$NOT_THIS_HASH" ./poetry.lock && \
echo "Hash still there, ah s**t, there we go again..." || \
{ echo "Looks updated, please check"; break; }
sleep 1;
done; EDIT2:
|
The thing that seems to work for me these days whenever I get a checksum error is:
It's a bit of a pain having to lose the entire cache though. (Poetry version 1.3.2 on macOS) |
Poetry version 1.7.1: Poetry uses requests to download packages. So when you try to download the file There are two ways to fix this issue
for example (ref https://stackoverflow.com/questions/18364193/requests-disable-auto-decoding) import requests
r = requests.get(url, stream=True)
with open(local_filename, 'wb') as f:
for chunk in r.raw.stream(1024, decode_content=False):
if chunk:
f.write(chunk) Pull request: #8701 |
per that pull request, your server is doing it wrong. poetry asked for |
For Nexus there is an easy solution to refresh hash indexes to sha256, see comment. |
same issue happens with torch-scatter and torch-spline-conv, when i run poetry install in my local (mac osx) runs perfectly, but in the workflows of my repo fails.
Any solution? |
I think we will have to wait for new release of poetry with the fix in #8701 |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
I am on the latest Poetry version.
I have searched the issues of this repo and believe that this is not a duplicate.
If an exception occurs when executing a command, I executed it again in debug mode (
-vvv
option).OS version and name: Debian Buster
Poetry version: 1.1.9
Link of a Gist with the contents of your pyproject.toml file: https://gist.github.com/MartinWallgren/65ffceae6b597698602afdcdae927d7f
Issue
Poetry refuses to install a package even though the checksum is correct. Looking at the output it seems as if the cheksum stored in the lock file is md5 and the checksum used during installation is sha256.
Both sha256:3ae5020d5eddabcb57db9211e3f1a46ebafa28cb31cdeb4a497189041757bb7b and md5:75dbe554e7838a35e3a5836887cf9efc are valid checksums for this package according to our index (artifactory).
The text was updated successfully, but these errors were encountered: