buildout icon indicating copy to clipboard operation
buildout copied to clipboard

Published 20 hours ago verified publisher icon buildout

Private pypi repository with basic auth used to work in previous versions

Open shamirapz opened this issue 2 years ago • 5 comments

I have started using buildout 3.0.0.rc3 and noticed that it was not able to pull packages from a private pypi server with basic authentication.

This is the snippet that used to work in the past:

[some_package]
recipe = zc.recipe.egg
index =
    https://user:[email protected]/packages/simple
eggs = some_package

Now with 3.0.0rc3, it shows an error that has the following form:

While:
  Installing apps.
  Getting distribution for 'some_package'.
Error: Can't download https://pypi.example.com/api/packages/pypi/files/ml-demo/0.0.1/some_package-0.0.1.tar.gz#sha256-dda0a65e388a005f56c0d7d13c5737338b527dfdeafe3727f288441be857ed93: 401 Unauthorized

What this seems to say is that buildout can pull the index, which is also behind basic auth, but cannot pull the package itself, this is to say, the credentials are not used when downloading the package.

shamirapz avatar Jul 08 '22 04:07 shamirapz

Hi,

do you have tried to use this extension?

https://pypi.org/project/cykooz.buildout.basicauth/

Maybe it helps you with your Problem.

  • Christian

goschtl avatar Jul 08 '22 06:07 goschtl

This is not a solution for the problem you posted but it might help. If not ignore this. I do not use any extension to access password protected repos and I try not to add secrets in my buildout cfgs. I just configure my ~/.pypirc like:

[distutils]
index-servers =
    ...
    private

...

[private]
repository=https://private.example.com/
username=user
password=...

ale-rt avatar Jul 08 '22 07:07 ale-rt

@goschtl @ale-rt Thanks for your comments. I have tried both methods using buildout 3.0.0rc3 and unfortunately neither works. It appears that the sections of code in how buildout installs packages have been completely rewritten. A couple of notes that I can drop here if someone else hit the same issue:

  • ~/.pypirc is ignored, none of the changes made in it were seen by buildout. It is mainly used by twine to upload packages.
  • It also appears that buildout 3.0.0rc3 doesn't read pip.conf. Combining pip.conf and ~/.netrc made pip work with basic authentication. Buildout doesn't see such configurations directly nor indirectly.

shamirapz avatar Jul 09 '22 03:07 shamirapz

Just to be sure: did it work for you with 2.x ? Or am I right that you only tried 3.x ?

gotcha avatar Jul 25 '22 12:07 gotcha

This is not a solution for the problem you posted but it might help. If not ignore this. I do not use any extension to access password protected repos and I try not to add secrets in my buildout cfgs. I just configure my ~/.pypirc like:

[distutils]
index-servers =
    ...
    private

...

[private]
repository=https://private.example.com/
username=user
password=...

Works, I use 2.x

2silver avatar Jan 12 '23 19:01 2silver