search

python-poetry / poetry

Python packaging and dependency management made easy
https://python-poetry.org
MIT License
31.06k stars 2.26k forks source link

`poetry lock --no-update` fails on FIPS-enabled system when the only known hash for a dependency is `md5` #9120

Closed PabloAlexis611 closed 5 months ago

PabloAlexis611 commented 6 months ago

Description

Using custom sources for a private repo (private mirror of PyPI), we need to perform a poetry lock --no-update command so that the poetry.lock file gets regenerated with the new source URL data. This stems from internet-enabled development, but air-gapped builds.

There might be the case that one of the dependencies pulled from this private mirror of PyPI only contains an md5 known hash.

This then attempts to generate an MD5 hash on a FIPS-enabled system, causing failure.

Workarounds

To manually patch the src/poetry/repositories/http_repository.py file at https://github.com/python-poetry/poetry/blob/28d5c007d8a73fac466deedd3b691fbf14bd9fff/src/poetry/repositories/http_repository.py#L377

with the following content:

known_hash = getattr(hashlib, hash_name)(usedforsecurity=False) if hash_name else None

Which is not what I'd want to do in a FIPS-enabled system.

Poetry Installation Method

pipx

Operating System

RedHat 8.9

Poetry Version

Poetry (version 1.8.1)

Poetry Configuration

cache-dir = "/home/appuser/.cache/pypoetry"
certificates.pypy_example_url_org.cert = "/path/to/cert.pem"
experimental.system-git-client = false
installer.max-workers = null
installer.modern-installation = true
installer.no-binary = null
installer.parallel = true
keyring.enabled = true
solver.lazy-wheel = true
virtualenvs.create = true
virtualenvs.in-project = null
virtualenvs.options.always-copy = false
virtualenvs.options.no-pip = false
virtualenvs.options.no-setuptools = false
virtualenvs.options.system-site-packages = false
virtualenvs.path = "{cache-dir}/virtualenvs"  # /home/someuser/.cache/pypoetry/virtualenvs
virtualenvs.prefer-active-python = false
virtualenvs.prompt = "{project_name}-py{python_version}"
warnings.export = true

Python Sysconfig

Platform: "linux-x86_64"
Python version: "3.10"
Current installation scheme: "posix_prefix"

Paths: 
        data = "/usr/local"
        include = "/usr/local/include/python3.10"
        platinclude = "/usr/local/include/python3.10"
        platlib = "/usr/local/lib/python3.10/site-packages"
        platstdlib = "/usr/local/lib/python3.10"
        purelib = "/usr/local/lib/python3.10/site-packages"
        scripts = "/usr/local/bin"
        stdlib = "/usr/local/lib/python3.10"

Variables: 
        ABIFLAGS = ""
        AC_APPLE_UNIVERSAL_BUILD = "0"
        AIX_BUILDDATE = "0"
        AIX_GENUINE_CPLUSPLUS = "0"
        ALIGNOF_LONG = "8"
        ALIGNOF_SIZE_T = "8"
        ALT_SOABI = "0"
        ANDROID_API_LEVEL = "0"
        AR = "ar"
        ARFLAGS = "rcs"
        BASECFLAGS = "-Wno-unused-result -Wsign-compare"
        BASECPPFLAGS = ""
        BASEMODLIBS = ""
        BINDIR = "/usr/local/bin"
        BINLIBDEST = "/usr/local/lib/python3.10"
        BLDLIBRARY = "-L. -lpython3.10"
        BLDSHARED = "gcc -pthread -shared"
        BUILDEXE = ""
        BUILDPYTHON = "python"
        BUILD_GNU_TYPE = "x86_64-pc-linux-gnu"
        BYTESTR_DEPS = "\"
        CC = "gcc -pthread"
        CCSHARED = "-fPIC"
        CFLAGS = "-Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall"
        CFLAGSFORSHARED = "-fPIC"
        CFLAGS_ALIASING = ""
        CONFIGFILES = "configure configure.ac acconfig.h pyconfig.h.in Makefile.pre.in"
        CONFIGURE_CFLAGS = ""
        CONFIGURE_CFLAGS_NODIST = "-fno-semantic-interposition -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -fvisibility=hidden"
        CONFIGURE_CPPFLAGS = ""
        CONFIGURE_LDFLAGS = ""
        CONFIGURE_LDFLAGS_NODIST = "-fno-semantic-interposition"
        CONFIG_ARGS = "'--enable-shared' '--enable-loadable-sqlite-extensions' '--enable-optimizations' '--enable-option-checking=fatal' '--with-system-expat' '--with-ensurepip'"
        CONFINCLUDEDIR = "/usr/local/include"
        CONFINCLUDEPY = "/usr/local/include/python3.10"
        COREPYTHONPATH = ""
        COVERAGE_INFO = "/usr/local/src/python/coverage.info"
        COVERAGE_REPORT = "/usr/local/src/python/lcov-report"
        COVERAGE_REPORT_OPTIONS = "--no-branch-coverage --title "CPython lcov report""
        CPPFLAGS = "-I. -I./Include"
        CXX = "g++"
        DESTDIRS = "/usr/local /usr/local/lib /usr/local/lib/python3.10 /usr/local/lib/python3.10/lib-dynload"
        DESTLIB = "/usr/local/lib/python3.10"
        DESTPATH = ""
        DESTSHARED = "/usr/local/lib/python3.10/lib-dynload"
        DFLAGS = ""
        DIRMODE = "755"
        DIST = "README.rst ChangeLog configure configure.ac acconfig.h pyconfig.h.in Makefile.pre.in Include Lib Misc Ext-dummy"
        DISTDIRS = "Include Lib Misc Ext-dummy"
        DISTFILES = "README.rst ChangeLog configure configure.ac acconfig.h pyconfig.h.in Makefile.pre.in"
        DLINCLDIR = "."
        DLLLIBRARY = ""
        DOUBLE_IS_ARM_MIXED_ENDIAN_IEEE754 = "0"
        DOUBLE_IS_BIG_ENDIAN_IEEE754 = "0"
        DOUBLE_IS_LITTLE_ENDIAN_IEEE754 = "1"
        DTRACE = ""
        DTRACE_DEPS = "\"
        DTRACE_HEADERS = ""
        DTRACE_OBJS = ""
        DYNLOADFILE = "dynload_shlib.o"
        ENABLE_IPV6 = "1"
        ENSUREPIP = "upgrade"
        EXE = ""
        EXEMODE = "755"
        EXPERIMENTAL_ISOLATED_SUBINTERPRETERS = "0"
        EXPORTSFROM = ""
        EXPORTSYMS = ""
        EXTRATESTOPTS = ""
        EXTRA_CFLAGS = ""
        EXT_SUFFIX = ".cpython-310-x86_64-linux-gnu.so"
        FILEMODE = "644"
        FLOAT_WORDS_BIGENDIAN = "0"
        FLOCK_NEEDS_LIBBSD = "0"
        GETPGRP_HAVE_ARG = "0"
        GITBRANCH = ""
        GITTAG = ""
        GITVERSION = ""
        GNULD = "yes"
        HAVE_ACCEPT4 = "1"
        HAVE_ACOSH = "1"
        HAVE_ADDRINFO = "1"
        HAVE_ALARM = "1"
        HAVE_ALIGNED_REQUIRED = "0"
        HAVE_ALLOCA_H = "1"
        HAVE_ALTZONE = "0"
        HAVE_ASINH = "1"
        HAVE_ASM_TYPES_H = "1"
        HAVE_ATANH = "1"
        HAVE_BIND_TEXTDOMAIN_CODESET = "1"
        HAVE_BLUETOOTH_BLUETOOTH_H = "0"
        HAVE_BLUETOOTH_H = "0"
        HAVE_BROKEN_MBSTOWCS = "0"
        HAVE_BROKEN_NICE = "0"
        HAVE_BROKEN_PIPE_BUF = "0"
        HAVE_BROKEN_POLL = "0"
        HAVE_BROKEN_POSIX_SEMAPHORES = "0"
        HAVE_BROKEN_PTHREAD_SIGMASK = "0"
        HAVE_BROKEN_SEM_GETVALUE = "0"
        HAVE_BROKEN_UNSETENV = "0"
        HAVE_BUILTIN_ATOMIC = "1"
        HAVE_CHFLAGS = "0"
        HAVE_CHOWN = "1"
        HAVE_CHROOT = "1"
        HAVE_CLOCK = "1"
        HAVE_CLOCK_GETRES = "1"
        HAVE_CLOCK_GETTIME = "1"
        HAVE_CLOCK_SETTIME = "1"
        HAVE_CLOSE_RANGE = "0"
        HAVE_COMPUTED_GOTOS = "1"
        HAVE_CONFSTR = "1"
        HAVE_CONIO_H = "0"
        HAVE_COPYSIGN = "1"
        HAVE_COPY_FILE_RANGE = "1"
        HAVE_CRYPT_H = "1"
        HAVE_CRYPT_R = "1"
        HAVE_CTERMID = "1"
        HAVE_CTERMID_R = "0"
        HAVE_CURSES_FILTER = "0"
        HAVE_CURSES_H = "0"
        HAVE_CURSES_HAS_KEY = "0"
        HAVE_CURSES_IMMEDOK = "0"
        HAVE_CURSES_IS_PAD = "0"
        HAVE_CURSES_IS_TERM_RESIZED = "0"
        HAVE_CURSES_RESIZETERM = "0"
        HAVE_CURSES_RESIZE_TERM = "0"
        HAVE_CURSES_SYNCOK = "0"
        HAVE_CURSES_TYPEAHEAD = "0"
        HAVE_CURSES_USE_ENV = "0"
        HAVE_CURSES_WCHGAT = "0"
        HAVE_DECL_ISFINITE = "1"
        HAVE_DECL_ISINF = "1"
        HAVE_DECL_ISNAN = "1"
        HAVE_DECL_RTLD_DEEPBIND = "1"
        HAVE_DECL_RTLD_GLOBAL = "1"
        HAVE_DECL_RTLD_LAZY = "1"
        HAVE_DECL_RTLD_LOCAL = "1"
        HAVE_DECL_RTLD_MEMBER = "0"
        HAVE_DECL_RTLD_NODELETE = "1"
        HAVE_DECL_RTLD_NOLOAD = "1"
        HAVE_DECL_RTLD_NOW = "1"
        HAVE_DECL_TZNAME = "0"
        HAVE_DEVICE_MACROS = "1"
        HAVE_DEV_PTC = "0"
        HAVE_DEV_PTMX = "1"
        HAVE_DIRECT_H = "0"
        HAVE_DIRENT_D_TYPE = "1"
        HAVE_DIRENT_H = "1"
        HAVE_DIRFD = "1"
        HAVE_DLFCN_H = "1"
        HAVE_DLOPEN = "1"
        HAVE_DUP2 = "1"
        HAVE_DUP3 = "1"
        HAVE_DYLD_SHARED_CACHE_CONTAINS_PATH = "0"
        HAVE_DYNAMIC_LOADING = "1"
        HAVE_ENDIAN_H = "1"
        HAVE_EPOLL = "1"
        HAVE_EPOLL_CREATE1 = "1"
        HAVE_ERF = "1"
        HAVE_ERFC = "1"
        HAVE_ERRNO_H = "1"
        HAVE_EVENTFD = "1"
        HAVE_EXECV = "1"
        HAVE_EXPLICIT_BZERO = "1"
        HAVE_EXPLICIT_MEMSET = "0"
        HAVE_EXPM1 = "1"
        HAVE_FACCESSAT = "1"
        HAVE_FCHDIR = "1"
        HAVE_FCHMOD = "1"
        HAVE_FCHMODAT = "1"
        HAVE_FCHOWN = "1"
        HAVE_FCHOWNAT = "1"
        HAVE_FCNTL_H = "1"
        HAVE_FDATASYNC = "1"
        HAVE_FDOPENDIR = "1"
        HAVE_FDWALK = "0"
        HAVE_FEXECVE = "1"
        HAVE_FINITE = "1"
        HAVE_FLOCK = "1"
        HAVE_FORK = "1"
        HAVE_FORKPTY = "1"
        HAVE_FPATHCONF = "1"
        HAVE_FSEEK64 = "0"
        HAVE_FSEEKO = "1"
        HAVE_FSTATAT = "1"
        HAVE_FSTATVFS = "1"
        HAVE_FSYNC = "1"
        HAVE_FTELL64 = "0"
        HAVE_FTELLO = "1"
        HAVE_FTIME = "1"
        HAVE_FTRUNCATE = "1"
        HAVE_FUTIMENS = "1"
        HAVE_FUTIMES = "1"
        HAVE_FUTIMESAT = "1"
        HAVE_GAI_STRERROR = "1"
        HAVE_GAMMA = "1"
        HAVE_GCC_ASM_FOR_MC68881 = "0"
        HAVE_GCC_ASM_FOR_X64 = "1"
        HAVE_GCC_ASM_FOR_X87 = "1"
        HAVE_GCC_UINT128_T = "1"
        HAVE_GETADDRINFO = "1"
        HAVE_GETC_UNLOCKED = "1"
        HAVE_GETENTROPY = "1"
        HAVE_GETGRGID_R = "1"
        HAVE_GETGRNAM_R = "1"
        HAVE_GETGROUPLIST = "1"
        HAVE_GETGROUPS = "1"
        HAVE_GETHOSTBYNAME = "0"
        HAVE_GETHOSTBYNAME_R = "1"
        HAVE_GETHOSTBYNAME_R_3_ARG = "0"
        HAVE_GETHOSTBYNAME_R_5_ARG = "0"
        HAVE_GETHOSTBYNAME_R_6_ARG = "1"
        HAVE_GETITIMER = "1"
        HAVE_GETLOADAVG = "1"
        HAVE_GETLOGIN = "1"
        HAVE_GETNAMEINFO = "1"
        HAVE_GETPAGESIZE = "1"
        HAVE_GETPEERNAME = "1"
        HAVE_GETPGID = "1"
        HAVE_GETPGRP = "1"
        HAVE_GETPID = "1"
        HAVE_GETPRIORITY = "1"
        HAVE_GETPWENT = "1"
        HAVE_GETPWNAM_R = "1"
        HAVE_GETPWUID_R = "1"
        HAVE_GETRANDOM = "1"
        HAVE_GETRANDOM_SYSCALL = "1"
        HAVE_GETRESGID = "1"
        HAVE_GETRESUID = "1"
        HAVE_GETSID = "1"
        HAVE_GETSPENT = "1"
        HAVE_GETSPNAM = "1"
        HAVE_GETWD = "1"
        HAVE_GLIBC_MEMMOVE_BUG = "0"
        HAVE_GRP_H = "1"
        HAVE_HSTRERROR = "1"
        HAVE_HTOLE64 = "1"
        HAVE_HYPOT = "1"
        HAVE_IEEEFP_H = "0"
        HAVE_IF_NAMEINDEX = "1"
        HAVE_INET_ATON = "1"
        HAVE_INET_PTON = "1"
        HAVE_INITGROUPS = "1"
        HAVE_INTTYPES_H = "1"
        HAVE_IO_H = "0"
        HAVE_IPA_PURE_CONST_BUG = "0"
        HAVE_KILL = "1"
        HAVE_KILLPG = "1"
        HAVE_KQUEUE = "0"
        HAVE_LANGINFO_H = "1"
        HAVE_LARGEFILE_SUPPORT = "0"
        HAVE_LCHFLAGS = "0"
        HAVE_LCHMOD = "0"
        HAVE_LCHOWN = "1"
        HAVE_LGAMMA = "1"
        HAVE_LIBDL = "1"
        HAVE_LIBDLD = "0"
        HAVE_LIBIEEE = "0"
        HAVE_LIBINTL_H = "1"
        HAVE_LIBREADLINE = "0"
        HAVE_LIBRESOLV = "0"
        HAVE_LIBSENDFILE = "0"
        HAVE_LIBUTIL_H = "0"
        HAVE_LIBUUID = "1"
        HAVE_LINK = "1"
        HAVE_LINKAT = "1"
        HAVE_LINUX_AUXVEC_H = "1"
        HAVE_LINUX_CAN_BCM_H = "1"
        HAVE_LINUX_CAN_H = "1"
        HAVE_LINUX_CAN_J1939_H = "0"
        HAVE_LINUX_CAN_RAW_FD_FRAMES = "1"
        HAVE_LINUX_CAN_RAW_H = "1"
        HAVE_LINUX_CAN_RAW_JOIN_FILTERS = "1"
        HAVE_LINUX_MEMFD_H = "1"
        HAVE_LINUX_NETLINK_H = "1"
        HAVE_LINUX_QRTR_H = "1"
        HAVE_LINUX_RANDOM_H = "1"
        HAVE_LINUX_TIPC_H = "1"
        HAVE_LINUX_VM_SOCKETS_H = "1"
        HAVE_LINUX_WAIT_H = "1"
        HAVE_LOCKF = "1"
        HAVE_LOG1P = "1"
        HAVE_LOG2 = "1"
        HAVE_LONG_DOUBLE = "1"
        HAVE_LSTAT = "1"
        HAVE_LUTIMES = "1"
        HAVE_MADVISE = "1"
        HAVE_MAKEDEV = "1"
        HAVE_MBRTOWC = "1"
        HAVE_MEMFD_CREATE = "1"
        HAVE_MEMORY_H = "1"
        HAVE_MEMRCHR = "1"
        HAVE_MKDIRAT = "1"
        HAVE_MKFIFO = "1"
        HAVE_MKFIFOAT = "1"
        HAVE_MKNOD = "1"
        HAVE_MKNODAT = "1"
        HAVE_MKTIME = "1"
        HAVE_MMAP = "1"
        HAVE_MREMAP = "1"
        HAVE_NCURSES_H = "0"
        HAVE_NDIR_H = "0"
        HAVE_NETPACKET_PACKET_H = "1"
        HAVE_NET_IF_H = "1"
        HAVE_NICE = "1"
        HAVE_NON_UNICODE_WCHAR_T_REPRESENTATION = "0"
        HAVE_OPENAT = "1"
        HAVE_OPENPTY = "1"
        HAVE_PATHCONF = "1"
        HAVE_PAUSE = "1"
        HAVE_PIPE2 = "1"
        HAVE_PLOCK = "0"
        HAVE_POLL = "1"
        HAVE_POLL_H = "1"
        HAVE_POSIX_FADVISE = "1"
        HAVE_POSIX_FALLOCATE = "1"
        HAVE_POSIX_SPAWN = "1"
        HAVE_POSIX_SPAWNP = "1"
        HAVE_PREAD = "1"
        HAVE_PREADV = "1"
        HAVE_PREADV2 = "1"
        HAVE_PRLIMIT = "1"
        HAVE_PROCESS_H = "0"
        HAVE_PROTOTYPES = "1"
        HAVE_PTHREAD_CONDATTR_SETCLOCK = "1"
        HAVE_PTHREAD_DESTRUCTOR = "0"
        HAVE_PTHREAD_GETCPUCLOCKID = "1"
        HAVE_PTHREAD_H = "1"
        HAVE_PTHREAD_INIT = "0"
        HAVE_PTHREAD_KILL = "1"
        HAVE_PTHREAD_SIGMASK = "1"
        HAVE_PTY_H = "1"
        HAVE_PWRITE = "1"
        HAVE_PWRITEV = "1"
        HAVE_PWRITEV2 = "1"
        HAVE_READLINK = "1"
        HAVE_READLINKAT = "1"
        HAVE_READV = "1"
        HAVE_REALPATH = "1"
        HAVE_RENAMEAT = "1"
        HAVE_RL_APPEND_HISTORY = "0"
        HAVE_RL_CATCH_SIGNAL = "0"
        HAVE_RL_COMPLETION_APPEND_CHARACTER = "0"
        HAVE_RL_COMPLETION_DISPLAY_MATCHES_HOOK = "0"
        HAVE_RL_COMPLETION_MATCHES = "0"
        HAVE_RL_COMPLETION_SUPPRESS_APPEND = "0"
        HAVE_RL_PRE_INPUT_HOOK = "0"
        HAVE_RL_RESIZE_TERMINAL = "0"
        HAVE_ROUND = "1"
        HAVE_RTPSPAWN = "0"
        HAVE_SCHED_GET_PRIORITY_MAX = "1"
        HAVE_SCHED_H = "1"
        HAVE_SCHED_RR_GET_INTERVAL = "1"
        HAVE_SCHED_SETAFFINITY = "1"
        HAVE_SCHED_SETPARAM = "1"
        HAVE_SCHED_SETSCHEDULER = "1"
        HAVE_SEM_CLOCKWAIT = "0"
        HAVE_SEM_GETVALUE = "1"
        HAVE_SEM_OPEN = "1"
        HAVE_SEM_TIMEDWAIT = "1"
        HAVE_SEM_UNLINK = "1"
        HAVE_SENDFILE = "1"
        HAVE_SETEGID = "1"
        HAVE_SETEUID = "1"
        HAVE_SETGID = "1"
        HAVE_SETGROUPS = "1"
        HAVE_SETHOSTNAME = "1"
        HAVE_SETITIMER = "1"
        HAVE_SETLOCALE = "1"
        HAVE_SETPGID = "1"
        HAVE_SETPGRP = "1"
        HAVE_SETPRIORITY = "1"
        HAVE_SETREGID = "1"
        HAVE_SETRESGID = "1"
        HAVE_SETRESUID = "1"
        HAVE_SETREUID = "1"
        HAVE_SETSID = "1"
        HAVE_SETUID = "1"
        HAVE_SETVBUF = "1"
        HAVE_SHADOW_H = "1"
        HAVE_SHM_OPEN = "1"
        HAVE_SHM_UNLINK = "1"
        HAVE_SIGACTION = "1"
        HAVE_SIGALTSTACK = "1"
        HAVE_SIGFILLSET = "1"
        HAVE_SIGINFO_T_SI_BAND = "1"
        HAVE_SIGINTERRUPT = "1"
        HAVE_SIGNAL_H = "1"
        HAVE_SIGPENDING = "1"
        HAVE_SIGRELSE = "1"
        HAVE_SIGTIMEDWAIT = "1"
        HAVE_SIGWAIT = "1"
        HAVE_SIGWAITINFO = "1"
        HAVE_SNPRINTF = "1"
        HAVE_SOCKADDR_ALG = "1"
        HAVE_SOCKADDR_SA_LEN = "0"
        HAVE_SOCKADDR_STORAGE = "1"
        HAVE_SOCKETPAIR = "1"
        HAVE_SPAWN_H = "1"
        HAVE_SPLICE = "1"
        HAVE_SSIZE_T = "1"
        HAVE_STATVFS = "1"
        HAVE_STAT_TV_NSEC = "1"
        HAVE_STAT_TV_NSEC2 = "0"
        HAVE_STDARG_PROTOTYPES = "1"
        HAVE_STDINT_H = "1"
        HAVE_STDLIB_H = "1"
        HAVE_STD_ATOMIC = "1"
        HAVE_STRFTIME = "1"
        HAVE_STRINGS_H = "1"
        HAVE_STRING_H = "1"
        HAVE_STRLCPY = "0"
        HAVE_STROPTS_H = "0"
        HAVE_STRSIGNAL = "1"
        HAVE_STRUCT_PASSWD_PW_GECOS = "1"
        HAVE_STRUCT_PASSWD_PW_PASSWD = "1"
        HAVE_STRUCT_STAT_ST_BIRTHTIME = "0"
        HAVE_STRUCT_STAT_ST_BLKSIZE = "1"
        HAVE_STRUCT_STAT_ST_BLOCKS = "1"
        HAVE_STRUCT_STAT_ST_FLAGS = "0"
        HAVE_STRUCT_STAT_ST_GEN = "0"
        HAVE_STRUCT_STAT_ST_RDEV = "1"
        HAVE_STRUCT_TM_TM_ZONE = "1"
        HAVE_SYMLINK = "1"
        HAVE_SYMLINKAT = "1"
        HAVE_SYNC = "1"
        HAVE_SYSCONF = "1"
        HAVE_SYSEXITS_H = "1"
        HAVE_SYS_AUDIOIO_H = "0"
        HAVE_SYS_AUXV_H = "1"
        HAVE_SYS_BSDTTY_H = "0"
        HAVE_SYS_DEVPOLL_H = "0"
        HAVE_SYS_DIR_H = "0"
        HAVE_SYS_ENDIAN_H = "0"
        HAVE_SYS_EPOLL_H = "1"
        HAVE_SYS_EVENTFD_H = "1"
        HAVE_SYS_EVENT_H = "0"
        HAVE_SYS_FILE_H = "1"
        HAVE_SYS_IOCTL_H = "1"
        HAVE_SYS_KERN_CONTROL_H = "0"
        HAVE_SYS_LOADAVG_H = "0"
        HAVE_SYS_LOCK_H = "0"
        HAVE_SYS_MEMFD_H = "0"
        HAVE_SYS_MKDEV_H = "0"
        HAVE_SYS_MMAN_H = "1"
        HAVE_SYS_MODEM_H = "0"
        HAVE_SYS_NDIR_H = "0"
        HAVE_SYS_PARAM_H = "1"
        HAVE_SYS_POLL_H = "1"
        HAVE_SYS_RANDOM_H = "1"
        HAVE_SYS_RESOURCE_H = "1"
        HAVE_SYS_SELECT_H = "1"
        HAVE_SYS_SENDFILE_H = "1"
        HAVE_SYS_SOCKET_H = "1"
        HAVE_SYS_STATVFS_H = "1"
        HAVE_SYS_STAT_H = "1"
        HAVE_SYS_SYSCALL_H = "1"
        HAVE_SYS_SYSMACROS_H = "1"
        HAVE_SYS_SYS_DOMAIN_H = "0"
        HAVE_SYS_TERMIO_H = "0"
        HAVE_SYS_TIMES_H = "1"
        HAVE_SYS_TIME_H = "1"
        HAVE_SYS_TYPES_H = "1"
        HAVE_SYS_UIO_H = "1"
        HAVE_SYS_UN_H = "1"
        HAVE_SYS_UTSNAME_H = "1"
        HAVE_SYS_WAIT_H = "1"
        HAVE_SYS_XATTR_H = "1"
        HAVE_TCGETPGRP = "1"
        HAVE_TCSETPGRP = "1"
        HAVE_TEMPNAM = "1"
        HAVE_TERMIOS_H = "1"
        HAVE_TERM_H = "0"
        HAVE_TGAMMA = "1"
        HAVE_TIMEGM = "1"
        HAVE_TIMES = "1"
        HAVE_TMPFILE = "1"
        HAVE_TMPNAM = "1"
        HAVE_TMPNAM_R = "1"
        HAVE_TM_ZONE = "1"
        HAVE_TRUNCATE = "1"
        HAVE_TZNAME = "0"
        HAVE_UCS4_TCL = "0"
        HAVE_UNAME = "1"
        HAVE_UNISTD_H = "1"
        HAVE_UNLINKAT = "1"
        HAVE_USABLE_WCHAR_T = "0"
        HAVE_UTIL_H = "0"
        HAVE_UTIMENSAT = "1"
        HAVE_UTIMES = "1"
        HAVE_UTIME_H = "1"
        HAVE_UUID_CREATE = "0"
        HAVE_UUID_ENC_BE = "0"
        HAVE_UUID_GENERATE_TIME_SAFE = "1"
        HAVE_UUID_H = "0"
        HAVE_UUID_UUID_H = "1"
        HAVE_VFORK = "1"
        HAVE_WAIT3 = "1"
        HAVE_WAIT4 = "1"
        HAVE_WAITID = "1"
        HAVE_WAITPID = "1"
        HAVE_WCHAR_H = "1"
        HAVE_WCSCOLL = "1"
        HAVE_WCSFTIME = "1"
        HAVE_WCSXFRM = "1"
        HAVE_WMEMCMP = "1"
        HAVE_WORKING_TZSET = "1"
        HAVE_WRITEV = "1"
        HAVE_ZLIB_COPY = "1"
        HAVE__GETPTY = "0"
        HOST_GNU_TYPE = "x86_64-pc-linux-gnu"
        INCLDIRSTOMAKE = "/usr/local/include /usr/local/include /usr/local/include/python3.10 /usr/local/include/python3.10"
        INCLUDEDIR = "/usr/local/include"
        INCLUDEPY = "/usr/local/include/python3.10"
        INSTALL = "/usr/bin/install -c"
        INSTALL_DATA = "/usr/bin/install -c -m 644"
        INSTALL_PROGRAM = "/usr/bin/install -c"
        INSTALL_SCRIPT = "/usr/bin/install -c"
        INSTALL_SHARED = "/usr/bin/install -c -m 755"
        INSTSONAME = "libpython3.10.so.1.0"
        IO_H = "Modules/_io/_iomodule.h"
        IO_OBJS = "\"
        LDCXXSHARED = "g++ -shared"
        LDFLAGS = ""
        LDLIBRARY = "libpython3.10.so"
        LDLIBRARYDIR = ""
        LDSHARED = "gcc -pthread -shared"
        LDVERSION = "3.10"
        LIBC = ""
        LIBDEST = "/usr/local/lib/python3.10"
        LIBDIR = "/usr/local/lib"
        LIBFFI_INCLUDEDIR = ""
        LIBM = "-lm"
        LIBOBJDIR = "Python/"
        LIBOBJS = ""
        LIBPC = "/usr/local/lib/pkgconfig"
        LIBPL = "/usr/local/lib/python3.10/config-3.10-x86_64-linux-gnu"
        LIBPYTHON = ""
        LIBRARY = "libpython3.10.a"
        LIBRARY_DEPS = "libpython3.10.a libpython3.10.so libpython3.so"
        LIBRARY_OBJS = "\"
        LIBRARY_OBJS_OMIT_FROZEN = "\"
        LIBS = "-lcrypt -lpthread -ldl  -lutil -lm"
        LIBSUBDIRS = "asyncio \"
        LINKCC = "gcc -pthread"
        LINKFORSHARED = "-Xlinker -export-dynamic"
        LIPO_32BIT_FLAGS = ""
        LIPO_INTEL64_FLAGS = ""
        LLVM_PROF_ERR = "no"
        LLVM_PROF_FILE = ""
        LLVM_PROF_MERGER = "true"
        LN = "ln"
        LOCALMODLIBS = ""
        MACHDEP = "linux"
        MACHDEP_OBJS = ""
        MACHDESTLIB = "/usr/local/lib/python3.10"
        MACOSX_DEPLOYMENT_TARGET = ""
        MAINCC = "gcc -pthread"
        MAJOR_IN_MKDEV = "0"
        MAJOR_IN_SYSMACROS = "1"
        MAKESETUP = "./Modules/makesetup"
        MANDIR = "/usr/local/share/man"
        MKDIR_P = "/usr/bin/mkdir -p"
        MODBUILT_NAMES = "posix  errno  pwd  _sre  _codecs  _weakref  _functools  _operator  _collections  _abc  itertools  atexit  _signal  _stat  time  _thread  _locale  _io  faulthandler  _tracemalloc  _symtable  xxsubtype"
        MODDISABLED_NAMES = ""
        MODLIBS = ""
        MODOBJS = "Modules/posixmodule.o  Modules/errnomodule.o  Modules/pwdmodule.o  Modules/_sre.o  Modules/_codecsmodule.o  Modules/_weakref.o  Modules/_functoolsmodule.o  Modules/_operator.o  Modules/_collectionsmodule.o  Modules/_abc.o  Modules/itertoolsmodule.o  Modules/atexitmodule.o  Modules/signalmodule.o  Modules/_stat.o  Modules/timemodule.o  Modules/_threadmodule.o  Modules/_localemodule.o  Modules/_iomodule.o Modules/iobase.o Modules/fileio.o Modules/bytesio.o Modules/bufferedio.o Modules/textio.o Modules/stringio.o  Modules/faulthandler.o  Modules/_tracemalloc.o  Modules/symtablemodule.o  Modules/xxsubtype.o"
        MODULE_OBJS = "\"
        MULTIARCH = "x86_64-linux-gnu"
        MULTIARCH_CPPFLAGS = "-DMULTIARCH=\"x86_64-linux-gnu\""
        MVWDELCH_IS_EXPRESSION = "0"
        NO_AS_NEEDED = "-Wl,--no-as-needed"
        OBJECT_OBJS = "\"
        OPENSSL_INCLUDES = ""
        OPENSSL_LDFLAGS = ""
        OPENSSL_LIBS = "-lssl -lcrypto"
        OPENSSL_RPATH = ""
        OPT = "-DNDEBUG -g -fwrapv -O3 -Wall"
        OTHER_LIBTOOL_OPT = ""
        PACKAGE_BUGREPORT = "0"
        PACKAGE_NAME = "0"
        PACKAGE_STRING = "0"
        PACKAGE_TARNAME = "0"
        PACKAGE_URL = "0"
        PACKAGE_VERSION = "0"
        PARSER_HEADERS = "\"
        PARSER_OBJS = "\ \ Parser/myreadline.o Parser/tokenizer.o"
        PEGEN_HEADERS = "\"
        PEGEN_OBJS = "\"
        PGO_PROF_GEN_FLAG = "-fprofile-generate"
        PGO_PROF_USE_FLAG = "-fprofile-use -fprofile-correction"
        PLATLIBDIR = "lib"
        POBJS = "\"
        POSIX_SEMAPHORES_NOT_ENABLED = "0"
        PROFILE_TASK = "-m test --pgo --timeout=1200"
        PTHREAD_KEY_T_IS_COMPATIBLE_WITH_INT = "1"
        PTHREAD_SYSTEM_SCHED_SUPPORTED = "1"
        PURIFY = ""
        PY3LIBRARY = "libpython3.so"
        PYLONG_BITS_IN_DIGIT = "0"
        PYTHON = "python"
        PYTHONFRAMEWORK = ""
        PYTHONFRAMEWORKDIR = "no-framework"
        PYTHONFRAMEWORKINSTALLDIR = ""
        PYTHONFRAMEWORKPREFIX = ""
        PYTHONPATH = ""
        PYTHON_FOR_BUILD = "./python -E"
        PYTHON_FOR_REGEN = ""
        PYTHON_HEADERS = "\"
        PYTHON_OBJS = "\"
        PY_BUILTIN_HASHLIB_HASHES = ""md5,sha1,sha256,sha512,sha3,blake2""
        PY_BUILTIN_MODULE_CFLAGS = "-Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fno-semantic-interposition -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -fvisibility=hidden -fprofile-use -fprofile-correction -I./Include/internal -I. -I./Include -fPIC -DPy_BUILD_CORE_BUILTIN"
        PY_CFLAGS = "-Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall"
        PY_CFLAGS_NODIST = "-fno-semantic-interposition -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -fvisibility=hidden -fprofile-use -fprofile-correction -I./Include/internal"
        PY_COERCE_C_LOCALE = "1"
        PY_CORE_CFLAGS = "-Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fno-semantic-interposition -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -fvisibility=hidden -fprofile-use -fprofile-correction -I./Include/internal -I. -I./Include -fPIC -DPy_BUILD_CORE"
        PY_CORE_LDFLAGS = "-fno-semantic-interposition"
        PY_CPPFLAGS = "-I. -I./Include"
        PY_ENABLE_SHARED = "1"
        PY_FORMAT_SIZE_T = ""z""
        PY_LDFLAGS = ""
        PY_LDFLAGS_NODIST = "-fno-semantic-interposition"
        PY_SSL_DEFAULT_CIPHERS = "1"
        PY_SSL_DEFAULT_CIPHER_STRING = "0"
        PY_STDMODULE_CFLAGS = "-Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fno-semantic-interposition -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -fvisibility=hidden -fprofile-use -fprofile-correction -I./Include/internal -I. -I./Include -fPIC"
        Py_DEBUG = "0"
        Py_ENABLE_SHARED = "1"
        Py_HASH_ALGORITHM = "0"
        Py_TRACE_REFS = "0"
        QUICKTESTOPTS = "-x test_subprocess test_io test_lib2to3 \"
        READELF = "readelf"
        RESSRCDIR = "Mac/Resources/framework"
        RETSIGTYPE = "void"
        RUNSHARED = "LD_LIBRARY_PATH=/usr/local/src/python"
        SCRIPTDIR = "/usr/local/lib"
        SETPGRP_HAVE_ARG = "0"
        SHELL = "/bin/sh"
        SHLIBS = "-lcrypt -lpthread -ldl  -lutil -lm"
        SHLIB_SUFFIX = ".so"
        SHM_NEEDS_LIBRT = "1"
        SIGNED_RIGHT_SHIFT_ZERO_FILLS = "0"
        SITEPATH = ""
        SIZEOF_DOUBLE = "8"
        SIZEOF_FLOAT = "4"
        SIZEOF_FPOS_T = "16"
        SIZEOF_INT = "4"
        SIZEOF_LONG = "8"
        SIZEOF_LONG_DOUBLE = "16"
        SIZEOF_LONG_LONG = "8"
        SIZEOF_OFF_T = "8"
        SIZEOF_PID_T = "4"
        SIZEOF_PTHREAD_KEY_T = "4"
        SIZEOF_PTHREAD_T = "8"
        SIZEOF_SHORT = "2"
        SIZEOF_SIZE_T = "8"
        SIZEOF_TIME_T = "8"
        SIZEOF_UINTPTR_T = "8"
        SIZEOF_VOID_P = "8"
        SIZEOF_WCHAR_T = "4"
        SIZEOF__BOOL = "1"
        SO = ".cpython-310-x86_64-linux-gnu.so"
        SOABI = "cpython-310-x86_64-linux-gnu"
        SRCDIRS = "Parser Objects Python Modules Modules/_io Programs"
        SRC_GDB_HOOKS = "./Tools/gdb/libpython.py"
        STATIC_LIBPYTHON = "1"
        STDC_HEADERS = "1"
        STRICT_SYSV_CURSES = "/* Don't use ncurses extensions */"
        STRIPFLAG = "-s"
        SUBDIRS = ""
        SUBDIRSTOO = "Include Lib Misc"
        SYSLIBS = "-lm"
        SYS_SELECT_WITH_SYS_TIME = "1"
        TCLTK_INCLUDES = ""
        TCLTK_LIBS = ""
        TESTOPTS = ""
        TESTPATH = ""
        TESTPYTHON = "LD_LIBRARY_PATH=/usr/local/src/python ./python"
        TESTPYTHONOPTS = ""
        TESTRUNNER = "LD_LIBRARY_PATH=/usr/local/src/python ./python ./Tools/scripts/run_tests.py"
        TESTSUBDIRS = "ctypes/test \"
        TESTTIMEOUT = "1200"
        TEST_MODULES = "yes"
        THREAD_STACK_SIZE = "0"
        TIMEMODULE_LIB = "0"
        TIME_WITH_SYS_TIME = "1"
        TM_IN_SYS_TIME = "0"
        TZPATH = "/usr/share/zoneinfo:/usr/lib/zoneinfo:/usr/share/lib/zoneinfo:/etc/zoneinfo"
        UNICODE_DEPS = "\"
        UNIVERSALSDK = ""
        UPDATE_FILE = "./Tools/scripts/update_file.py"
        USE_COMPUTED_GOTOS = "0"
        VERSION = "3.10"
        WHEEL_PKG_DIR = ""
        WINDOW_HAS_FLAGS = "0"
        WITH_DECIMAL_CONTEXTVAR = "1"
        WITH_DOC_STRINGS = "1"
        WITH_DTRACE = "0"
        WITH_DYLD = "0"
        WITH_EDITLINE = "0"
        WITH_LIBINTL = "0"
        WITH_NEXT_FRAMEWORK = "0"
        WITH_PYMALLOC = "1"
        WITH_VALGRIND = "0"
        X87_DOUBLE_ROUNDING = "0"
        XMLLIBSUBDIRS = "xml xml/dom xml/etree xml/parsers xml/sax"
        abiflags = ""
        abs_builddir = "/usr/local/src/python"
        abs_srcdir = "/usr/local/src/python"
        base = "/usr/local"
        datarootdir = "/usr/local/share"
        exec_prefix = "/usr/local"
        installed_base = "/usr/local"
        installed_platbase = "/usr/local"
        platbase = "/usr/local"
        platlibdir = "lib"
        prefix = "/usr/local"
        projectbase = "/usr/local/bin"
        py_version = "3.10.13"
        py_version_nodot = "310"
        py_version_nodot_plat = ""
        py_version_short = "3.10"
        srcdir = "/usr/local/lib/python3.10/config-3.10-x86_64-linux-gnu"
        userbase = "/home/someuser/.local"

Example pyproject.toml

[tool.poetry]
name = "project-name"
version = "1.2.3"
description = "description"
authors = ["authors"]
readme = "README.md"
package-mode = false

[tool.poetry.dependencies]
python = "^3.10"
pylint = "^3.1.0"

[[tool.poetry.source]]
name = "pypy_example_url_org"
url = "https://pypi.example.url.org:443/repository/python-repo/simple/"
priority = "primary"

[tool.pylint.main]
jobs = 0
persistent = true
py-version = "3.10"
suggestion-mode = true

[tool.pylint."messages control"]
disable = [
    "some pylint flags"
]

[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"

Poetry Runtime Logs

Example job output (long log incoming, via `poetry lock -vvv --no-update`:

[urllib3:urllib3.connectionpool] https://pypi.example.url.org:443 "GET /repository/python-repo/simple/tomli/ HTTP/1.1" 200 10188
Source (somewhere): Downloading: https://pypi.example.url.org/repository/python-repo/packages/tomli/2.0.1/tomli-2.0.1-py3-none-any.whl#md5=a8a774971c6d046cf1c87cd801dd158f
[urllib3:urllib3.connectionpool] https://pypi.example.url.org:443 "GET /repository/python-repo/packages/tomli/2.0.1/tomli-2.0.1-py3-none-any.whl HTTP/1.1" 200 12757
[filelock:filelock] Attempting to acquire lock 140242422159616 on /home/someuser/.cache/pypoetry/cache/repositories/somewhere/_http/b/1/c/f/4/b1cf4e7ca2700683a183b6fe0abb5955e7814da45d2e95ef93bec993.lock
[filelock:filelock] Lock 140242422159616 acquired on /home/someuser/.cache/pypoetry/cache/repositories/somewhere/_http/b/1/c/f/4/b1cf4e7ca2700683a183b6fe0abb5955e7814da45d2e95ef93bec993.lock
[filelock:filelock] Attempting to release lock 140242422159616 on /home/someuser/.cache/pypoetry/cache/repositories/somewhere/_http/b/1/c/f/4/b1cf4e7ca2700683a183b6fe0abb5955e7814da45d2e95ef93bec993.lock
[filelock:filelock] Lock 140242422159616 released on /home/someuser/.cache/pypoetry/cache/repositories/somewhere/_http/b/1/c/f/4/b1cf4e7ca2700683a183b6fe0abb5955e7814da45d2e95ef93bec993.lock
rror:
There are no known hash types for tomli-2.0.1-py3-none-any.whl that are prioritised (known hash types: {'md5'})
   1: Version solving took 2.432 seconds.
   1: Tried 1 solutions.

  Stack trace:

  4  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/puzzle/solver.py:154 in _solve
      152│ 
      153│         try:
    → 154│             result = resolve_version(self._package, self._provider)
      155│ 
      156│             packages = result.packages

  3  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/mixology/__init__.py:18 in resolve_version
       16│     solver = VersionSolver(root, provider)
       17│ 
    →  18│     return solver.solve()
       19│ 

  2  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/mixology/version_solver.py:175 in solve
      173│             while next is not None:
      174│                 self._propagate(next)
    → 175│                 next = self._choose_package_version()
      176│ 
      177│             return self._result()

  1  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/mixology/version_solver.py:514 in _choose_package_version
      512│             package = locked
      513│ 
    → 514│         package = self._provider.complete_package(package)
      515│ 
      516│         conflict = False

  OverrideNeeded

  ({Package('pylint', '3.1.0', source_type='legacy', source_url='https://pypi.example.url.org/repository/python-repo/simple', source_reference='somewhere'): {'dill': <Dependency dill (>=0.2)>}}, {Package('pylint', '3.1.0', source_type='legacy', source_url='https://pypi.example.url.org/repository/python-repo/simple', source_reference='somewhere'): {'dill': <Dependency dill (>=0.3.7)>}}, {Package('pylint', '3.1.0', source_type='legacy', source_url='https://pypi.example.url.org/repository/python-repo/simple', source_reference='somewhere'): {'dill': <Dependency dill (>=0.3.6)>}})

  at ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/puzzle/provider.py:653 in complete_package
      649│                     current_overrides.update({package: package_overrides})
      650│                     overrides.append(current_overrides)
      651│ 
      652│             if overrides:
    → 653│                 raise OverrideNeeded(*overrides)
      654│ 
      655│         # Modifying dependencies as needed
      656│         clean_dependencies = []
      657│         for dep in dependencies:

The following error occurred when trying to handle this e

  ValueError

  Package('tomli', '2.0.1') is not in list

  at ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/repositories/legacy_repository.py:66 in package
       62│         Note that this will be cached so the subsequent operations
       63│         should be much faster.
       64│         """
       65│         try:
    →  66│             index = self._packages.index(Package(name, version))
       67│ 
       68│             return self._packages[index]
       69│         except ValueError:
       70│             package = super().package(name, version, extras)

The following error occurred when trying to handle this error:

  Stack trace:

  26  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/cleo/application.py:327 in run
       325│ 
       326│             try:
     → 327│                 exit_code = self._run(io)
       328│             except BrokenPipeError:
       329│                 # If we are piped to another process, it may close early and send a

  25  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/console/application.py:190 in _run
       188│         self._load_plugins(io)
       189│ 
     → 190│         exit_code: int = super()._run(io)
       191│         return exit_code
       192│ 

  24  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/cleo/application.py:431 in _run
       429│             io.input.interactive(interactive)
       430│ 
     → 431│         exit_code = self._run_command(command, io)
       432│         self._running_command = None
       433│ 

  23  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/cleo/application.py:473 in _run_command
       471│ 
       472│         if error is not None:
     → 473│             raise error
       474│ 
       475│         return terminate_event.exit_code

  22  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/cleo/application.py:457 in _run_command
       455│ 
       456│             if command_event.command_should_run():
     → 457│                 exit_code = command.run(io)
       458│             else:
       459│                 exit_code = ConsoleCommandEvent.RETURN_CODE_DISABLED

  21  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/cleo/commands/base_command.py:117 in run
       115│         io.input.validate()
       116│ 
     → 117│         return self.execute(io) or 0
       118│ 
       119│     def merge_application_definition(self, merge_args: bool = True) -> None:

  20  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/cleo/commands/command.py:61 in execute
        59│ 
        60│         try:
     →  61│             return self.handle()
        62│         except KeyboardInterrupt:
        63│             return 1

  19  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/console/commands/lock.py:55 in handle
        53│         self.installer.lock(update=not self.option("no-update"))
        54│ 
     →  55│         return self.installer.run()
        56│ 

  18  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/installation/installer.py:95 in run
        93│         # Check if refresh
        94│         if not self._update and self._lock and self._locker.is_locked():
     →  95│             return self._do_refresh()
        96│ 
        97│         # Force update if there is no lock file present

  17  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/installation/installer.py:201 in _do_refresh
       199│             source_root=self._env.path.joinpath("src")
       200│         ):
     → 201│             ops = solver.solve(use_latest=use_latest).calculate_operations()
       202│ 
       203│         lockfile_repo = LockfileRepository()

  16  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/puzzle/solver.py:71 in solve
        69│         with self._progress(), self._provider.use_latest_for(use_latest or []):
        70│             start = time.time()
     →  71│             packages, depths = self._solve()
        72│             end = time.time()
        73│ 

  15  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/puzzle/solver.py:158 in _solve
       156│             packages = result.packages
       157│         except OverrideNeeded as e:
     → 158│             return self._solve_in_compatibility_mode(e.overrides)
       159│         except SolveFailure as e:
       160│             raise SolverProblemError(e)

  14  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/puzzle/solver.py:132 in _solve_in_compatibility_mode
       130│             )
       131│             self._provider.set_overrides(override)
     → 132│             _packages, _depths = self._solve()
       133│             for index, package in enumerate(_packages):
       134│                 if package not in packages:

  13  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/puzzle/solver.py:154 in _solve
       152│ 
       153│         try:
     → 154│             result = resolve_version(self._package, self._provider)
       155│ 
       156│             packages = result.packages

  12  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/mixology/__init__.py:18 in resolve_version
        16│     solver = VersionSolver(root, provider)
        17│ 
     →  18│     return solver.solve()
        19│ 

  11  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/mixology/version_solver.py:175 in solve
       173│             while next is not None:
       174│                 self._propagate(next)
     → 175│                 next = self._choose_package_version()
       176│ 
       177│             return self._result()

  10  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/mixology/version_solver.py:514 in _choose_package_version
       512│             package = locked
       513│ 
     → 514│         package = self._provider.complete_package(package)
       515│ 
       516│         conflict = False

   9  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/puzzle/provider.py:489 in complete_package
       487│                 dependency_package = DependencyPackage(
       488│                     dependency,
     → 489│                     self._pool.package(
       490│                         package.pretty_name,
       491│                         package.version,

   8  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/repositories/repository_pool.py:204 in package
       202│         for repo in self.repositories:
       203│             try:
     → 204│                 return repo.package(name, version, extras=extras)
       205│             except PackageNotFound:
       206│                 continue

   7  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/repositories/legacy_repository.py:70 in package
        68│             return self._packages[index]
        69│         except ValueError:
     →  70│             package = super().package(name, version, extras)
        71│             package._source_type = "legacy"
        72│             package._source_url = self._url

   6  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/repositories/cached_repository.py:75 in package
        73│         extras: list[str] | None = None,
        74│     ) -> Package:
     →  75│         return self.get_release_info(canonicalize_name(name), version).to_package(
        76│             name=name, extras=extras
        77│         )

   5  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/repositories/cached_repository.py:52 in get_release_info
        50│             return PackageInfo.load(self._get_release_info(name, version))
        51│ 
     →  52│         cached = self._release_cache.remember(
        53│             f"{name}:{version}", lambda: self._get_release_info(name, version)
        54│         )

   4  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/utils/cache.py:147 in remember
       145│         value = self.get(key)
       146│         if value is None:
     → 147│             value = callback() if callable(callback) else callback
       148│             self.put(key, value, minutes)
       149│         return value

   3  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/repositories/cached_repository.py:53 in <lambda>
        51│ 
        52│         cached = self._release_cache.remember(
     →  53│             f"{name}:{version}", lambda: self._get_release_info(name, version)
        54│         )
        55│ 

   2  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/repositories/legacy_repository.py:123 in _get_release_info
       121│         yanked = page.yanked(name, version)
       122│ 
     → 123│         return self._links_to_data(
       124│             links,
       125│             PackageInfo(

   1  ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/repositories/http_repository.py:346 in _links_to_data
       344│                     break
       345│             else:
     → 346│                 file_hash = self.calculate_sha256(link)
       347│ 
       348│             if file_hash is None and (

  ValueError

  [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

  at ~/.local/share/pipx/venvs/poetry/lib/python3.10/site-packages/poetry/repositories/http_repository.py:373 in calculate_sha256
      369│         with self._cached_or_downloaded_file(link) as filepath:
      370│             hash_name = get_highest_priority_hash_type(
      371│                 set(link.hashes.keys()), link.filename
      372│             )
    → 373│             known_hash = getattr(hashlib, hash_name)() if hash_name else None
      374│             required_hash = hashlib.sha256()
      375│ 
      376│             chunksize = 4096
      377│             with filepath.open("rb") as f:
abn commented 6 months ago

Isn't this an expected error for FIPS enabled system? As in "do not rely on md5 as a secure hash"? The error message could be better and I guess we could add an option to reduce the strictness here.

dimbleby commented 6 months ago

yeah, setting usedforsecurity=False is certainly the wrong thing to do here.

The hash absolutely is being used for security - its purpose is to prove that the package that you are installing is the same package that was uploaded to the repository.

Of course md5 is not a secure hash: but then the FIPS-enabled system is just doing what it should and refusing to allow you to rely on that hash.

People who are running FIPS-enabled systems surely care even more than the rest of us that they are getting the packages that they think they are getting: disabling that check would be the opposite of what the FIPS-enabled crowd should want to do.

Update your private mirror to provide secure hashes.

PabloAlexis611 commented 6 months ago

Makes sense. To provide context, the private mirror is hosted by a Sonatype Nexus instance - it should provide sha256 hashes as of version 3.41. I'm starting to think then this is not a poetry issue and indeed what's happening is correct behavior. We might close this ticket.

@abn @dimbleby is there a way though I can configure poetry to not use MD5 at all, or to force using SHA256? Or is it fully reliant on the repository to provide the sha256 in the resolved URLs?

In this case, the tomli package already has a defined sha256 in the poetry.lock file, so I'd have thought if the sha256 is not available from the repo, poetry could calculate this hash instead of falling back to the md5 provided by the request to the private repository - making sure it matches what already exists in the poetry.lock file.

abn commented 6 months ago

The sha256 calculation was introduced in #2958. The use of sha256 will be required if known_hash is None.

So, something like this might improve the error handling better.

known_hash = None
with contextlib.suppress(ValueError, AttributeError):
    # we handle ValueError here as well since under FIPS environments this is what is raised
    known_hash = getattr(hashlib, hash_name)() if hash_name else None
PabloAlexis611 commented 6 months ago

@abn I like that solution better since it doesn't involve lying to the FIPS system (as my unsecure workaround was doing, which of course I only did for testing purposes)

I tested this patch you put above as follows:

# ...
from contextlib import contextmanager, suppress  # <- added suppress here
# ...
            known_hash = None
            with suppress(ValueError, AttributeError):
                # we handle ValueError here as well since under FIPS environments this is what is raised
                known_hash = getattr(hashlib, hash_name)() if hash_name else None

And it works in my FIPS-enabled system, no more [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS errors due to a repository request providing me with MD5 hashes in the URL. This indeed improves the error handling for FIPS-enabled systems.

Could we get a PR with your changes in? Would love to have this in a future poetry release our team could update to. I'll keep the patch in our build-process in the meantime. If you're too busy I'm willing to contribute this update as well.

abn commented 6 months ago

Happy to have you get a PR up for review if you can. Help is always welcome. The only thing I'd say we'd need is a test case that validates the scenario better to ensure we do not regress and that we do indeed validate the computed hashes.

Also there is a bit of nuance here regarding security. If your index does not provide sha256, you are in effect trusting the local computed hash of whosoever generated the lockfile. It does weaken your security posture, but not a lot

mnunna-broadcom commented 6 months ago

@PabloAlexis611 I am very much interested in this change too. Are you planning on creating that PR?

PabloAlexis611 commented 6 months ago

@mnunna-vmware yes, got the changes locally and on my fork, working on the unit tests before opening up the PR

github-actions[bot] commented 4 months ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.