conda-lock icon indicating copy to clipboard operation
conda-lock copied to clipboard
verified publisher icon conda

Improve auth configuration for private PyPi repositories

Open jacksmith15 opened this issue 2 years ago • 1 comments

Checklist

  • [X] I added a descriptive title
  • [X] I searched open requests and couldn't find a duplicate

What is the idea?

I'd like to improve upon the mechanism for configuring auth for private PyPi repositories.

Why is this needed?

The documentation claims the process for configuring private pypi repositories is simply:

poetry config repositories.foo https://username:[email protected]/simple/

However I believe the process actually looks as follows:

  1. Install the correct version of poetry (matching the vendored version): 
    pipx install poetry==1.1.15
  2. Configure repositories using poetry: 
    poetry config repositories.foo https://username:[email protected]/simple/
  3. Copy poetry config to location discoverable by conda-lock: 
    # Note that exact paths vary on different machines
cp -R ~/.config/pypoetry ~/.config/pypoetry-conda-lock

I think there are a few problems here:

  1. Documentation not up-to-date
  2. Users must install poetry separately, at a specific version matching the vendored poetry. This negates the value of vendoring in the first place.
  3. Users use an interface provided by poetry, which is effectively an implementation detail of conda-lock (currently conda-lock uses poetry as a resolver under the hood, but conda-lock should be free to change the resolution algorithm without breaking user workflows).
  4. Authentication secrets are saved to and copied around on disk.

What should happen?

I propose that conda-lock provides its own interface for configuring private pypi repositories, and then manages the internal gymnastics of providing these to the poetry resolver.

I propose that this interface supports configuration via environment variable first-and-foremost, as this is the most portable approach for configuration, and supports more secure workflows with tools like envchain.

Additional Context

Note also separate issue https://github.com/conda/conda-lock/issues/461 regarding auth stripping for private PyPi repositories.

jacksmith15 avatar Jul 15 '23 09:07 jacksmith15

Thanks a lot @jacksmith15 for your thoughts on this and #461. I haven't read in much detail, but the situation here is indeed quite messy. I'm going to take a crack right now at upgrading the vendored Poetry. This will hopefully improve the baseline somewhat. Ultimately I think we shouldn't be relying on Poetry, but I'm just going to focus on the upgrade for now...

In case this seems to have dropped off my radar don't hesitate to ping me.

maresb avatar Jul 15 '23 14:07 maresb