hatch icon indicating copy to clipboard operation
hatch copied to clipboard
verified publisher icon pypa

Standalone Linux binary cannot bootstrap due to SSL issues

Open chrisknight32 opened this issue 2 years ago • 3 comments

Hello!

I tried following the instructions at https://hatch.pypa.io/latest/install/ by downloading the standalone binary for Linux. However, the downloaded executable can't accomplish anything. It only tries to download the below cpython archive. No flags that I pass seem to change the behavior. However, other tools like wget are able to download the link it is struggling with. So to me it seems like this standalone binary is doing something wonky/incorrect wrt setting up SSL/cert usage. I combed through the documentation to try and find more about what this standalone binary is trying to do and couldn't find anything. Appreciate any help/insights you can provide.

I was excited to try out Hatch once I learned about it, though I clearly hit a roadblock before I was able to get very far.

-Chris

./hatch-1.8.0-x86_64-unknown-linux-gnu Error: download failed: https://github.com/indygreg/python-build-standalone/releases/download/20230826/cpython-3.11.5%2B20230826-x86_64_v3-unknown-linux-gnu-install_only.tar.gz

Caused by: 0: error sending request for url (https://github.com/indygreg/python-build-standalone/releases/download/20230826/cpython-3.11.5%2B20230826-x86_64_v3-unknown-linux-gnu-install_only.tar.gz): error trying to connect: invalid peer certificate: UnknownIssuer 1: error trying to connect: invalid peer certificate: UnknownIssuer 2: invalid peer certificate:

chrisknight32 avatar Dec 14 '23 00:12 chrisknight32

Hey, thank you for notifying me and sorry about the poor first-time experience!

Can you please tell me more about what platform you are running on and also if your system is up-to-date?

ofek avatar Dec 14 '23 01:12 ofek

Thanks for the response! This is on a WSL Ubuntu 20.04 instance that recently did a full apt update so I don't think it is a system issue but I could be wrong.

chrisknight32 avatar Dec 15 '23 15:12 chrisknight32

I recently ran into something similar. Here's how I got past it.

I'm using a docker container for this example;

docker run -it ubuntu:22.04 bash

Then once inside the container;

apt update -y
apt install wget -y
wget --trust-server-names https://github.com/pypa/hatch/releases/download/hatch-v1.9.3/hatch-1.9.3-aarch64-unknown-linux-gnu.tar.gz -O hatch-1.9.3-aarch64-unknown-linux-gnu.tar.gz
tar -xzf hatch-1.9.3-aarch64-unknown-linux-gnu.tar.gz 
mv hatch-1.9.3-aarch64-unknown-linux-gnu  /usr/local/bin/hatch
hatch

I hope this helps!

anthonycorletti avatar Feb 05 '24 05:02 anthonycorletti

I hope this helps!

$ docker run -it ubuntu:22.04 bash

$ apt update && apt install -y curl
$ curl -sSfL https://github.com/pypa/hatch/releases/download/hatch-v1.10.0/hatch-1.10.0-x86_64-unknown-linux-gnu.tar.gz | tar -xz
$ mv hatch-1.10.0-x86_64-unknown-linux-gnu/usr/local/bin/hatch
$ du -shx /
144M    /

$ hatch --version
Hatch, version 1.10.0

$ du -shx /
558M    /

Just an observation, that 4MB binary pulls in quite a lot of weight just by running the command. This appears to be uv and a standalone Python install.

Even if there is a system python available, and you run hatch with --config / config.toml to configure [dirs] with cache, data, python parameters, the values don't appear to have an affect? :shrug:

I tried similar with a Fedora container, same weight. It's a bit lighter when installing via pipx (still around 150MB) pulled in. Fedora does package hatch which is lighter still, but this may be due to 1.9.4 version currently packaged which I don't think includes uv.

However, other tools like wget are able to download the link it is struggling with. So to me it seems like this standalone binary is doing something wonky/incorrect wrt setting up SSL/cert usage.

Does this still affect you? No one else seems to be chiming in with the issue or thumbs up. May have been a temporary error, or issue with accessing your systems trust store for root CAs to verify the cert?

polarathene avatar May 03 '24 13:05 polarathene

I tried similar with a Fedora container, same weight. It's a bit lighter when installing via pipx (still around 150MB) pulled in. Fedora does package hatch which is lighter still, but this may be due to 1.9.4 version currently packaged which I don't think includes uv.

I am working on uv for Fedora, but it’s a substantial project. I’ve made a lot of progress on updating and packaging its Rust library dependencies, but there is quite a bit more work to be done. It’s possible that Hatch 1.10.0 and Hatchling > 1.21.x may not be suitable as compatible updates for current stable releases of Fedora, and that they may appear only in Fedora 41 and later. We’ll focus on getting them into Rawhide first.

I can say that just running cargo build --release and then strip target/release/uv (since we have separate debuginfo packages) produces a roughly 30MB executable, so one can guess that a future uv package in Fedora would end up pretty close to that installed size.

musicinmybrain avatar May 03 '24 13:05 musicinmybrain

However, other tools like wget are able to download the link it is struggling with. So to me it seems like this standalone binary is doing something wonky/incorrect wrt setting up SSL/cert usage.

Does this still affect you? No one else seems to be chiming in with the issue or thumbs up. May have been a temporary error, or issue with accessing your systems trust store for root CAs to verify the cert?

I was able to get past this! Unfortunately, I don't know which of my changes actually fixed it. Likely some combination of updating things or fully blowing away my Ubuntu environment. I do appreciate all the chiming in and thoughts from everyone.

chrisknight32 avatar May 03 '24 14:05 chrisknight32