Packaging projects with private git-repo install_requires dependencies

[joseph-wakeling-frequenz]

First up, thanks folks for a very useful tool!

I have a project where one of its dependencies is another private git repo of our organization. In other words the install_requires entry reads:

private-project-name @ git+ssh://git@github.com/path-to/private-project-name.git@v1.2.3

However, this causes problems when dh_virtualenv gets running, because it runs as root inside the virtualenv, and is therefore unable to see the ssh keys of the user running the debuild command. So we get an error:

fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Is there a recommended way to make sure that ssh keys are available to the virtualenv used to build the package (without leaving them in the package itself)? Brute-forcing by adding keys to /root/.ssh does not work and feels icky in any case.

[jhermann]

This is an ugly hack for all but short periods of time. The common robust solution is to have a private release repo, e.g. devpi or Artifactory, and "normal" dependencies. Or you somehow vendor this into your main package.

Or you use a read-only deploy key.

Out of scope to handle this in dh-venv for sure.

[nailor]

Yeah, I think there are multiple ways to solve this. You could mount a directory containing the key inside the build chroot when building it, use a tool to distribute a secret during a build time or as @jher said publish the package in some local package index etc.

Unfortunately I don’t have an answer to give here to this specific problem.

However I also think the solution is out of scope for dh-virtualenv