Poetry ignores no-binary options and downloads .whl files

[HydraCro]

• Poetry version: 1.6.1
• Python version: 3.8
• OS version and name: Red Hat Enterprise Linux Server 7.9 (Maipo)
• pyproject.toml: https://gist.github.com/HydraCro/2da652bbb270805e584ff1104a127edc

• [x] I am on the latest stable Poetry version, installed using a recommended method.
• [x] I have searched the issues of this repo and believe that this is not a duplicate.
• [x] I have consulted the FAQ and blog for any relevant entries or release notes.
• [x] If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

I am running poetry installation with no-binary option. Due to company security policies only source code dependencies are allowed, meaning no .whl files. However I have tried using both:

• poetry config --local installer.no-binary :all: (local and global)
• export POETRY_INSTALLER_NO_BINARY=:all: In both cases poetry installation still downloads .whl files, this is the log:

Source (PyPI): Downloading: https://files.pythonhosted.org/packages/7b/9b/d4f61d21bf2c9a653d02bf5ef8910c03e0cbc876db5eebae358421261b4c/responses-0.14.0-py2.py3-none-any.whl
Creating new session for files.pythonhosted.org
[urllib3.connectionpool] Starting new HTTPS connection (1): files.pythonhosted.org:443
[urllib3.connectionpool] https://files.pythonhosted.org:443 "GET /packages/7b/9b/d4f61d21bf2c9a653d02bf5ef8910c03e0cbc876db5eebae358421261b4c/responses-0.14.0-py2.py3-none-any.whl HTTP/1.1" 200 27408
   1: fact: responses (0.14.0) depends on requests (>=2.0)
   1: fact: responses (0.14.0) depends on urllib3 (>=1.25.10)
   1: fact: responses (0.14.0) depends on six (*)
   1: selecting responses (0.14.0)
   1: derived: six

[dimbleby]

that trace is not from the installer and therefore is not evidence of a bug. It only shows poetry using the wheel file to derive dependencies: the configuration setting is irrelevant at this point.

please close.

[HydraCro]

I have also used sbom generator to created spdx, and it is clear that libraries are downloaded using .whl files instead of source tar.gz files. Also keep in mind this is just one example, multiple 3PPs have this downloadLocation set to .whl file.

                        "name": "importlib-resources",
			"SPDXID": "SPDXRef-Package-importlib-resources-6.1.0",
			"versionInfo": "6.1.0",
			"supplier": "Person: Barry Warsaw ([email protected])",
			"downloadLocation": "https://files.pythonhosted.org/packages/65/6e/09d8816b5cb7a4006ef8ad1717a2703ad9f331dae9717d9f22488a2d6469/importlib_resources-6.1.0-py3-none-any.whl",
			"filesAnalyzed": false,
			"checksums": [
				{
					"algorithm": "SHA256",
					"checksumValue": "aa50258bbfa56d4e33fbd8aa3ef48ded10d1735f11532b8df95388cc6bdb7e83"
				}
			],
			"homepage": "https://pypi.org/pypi/importlib-resources/6.1.0",
			"licenseConcluded": "NOASSERTION",
			"licenseDeclared": "NOASSERTION",
			"copyrightText": "NOASSERTION",
			"licenseComments": "NOASSERTION",
			"comment": "NOASSERTION"

I not seeing libraries being compiled, a lot of .whl binaries are installed.

[dimbleby]

please provide evidence that the poetry installer is installing binary files when asked not to - nothing you have shown so far suggests this

[HydraCro]

I am not sure what more can i provide as a proof that .whl files are still being used to install dependencies. Do you have some suggestions of what do you need that would help identifying the problem? From my understanding these two logs are quite clear that .whl files are used:

  "downloadLocation": "https://files.pythonhosted.org/packages/65/6e/09d8816b5cb7a4006ef8ad1717a2703ad9f331dae9717d9f22488a2d6469/importlib_resources-6.1.0-py3-none-any.whl"

  Source (PyPI): Downloading: https://files.pythonhosted.org/packages/7b/9b/d4f61d21bf2c9a653d02bf5ef8910c03e0cbc876db5eebae358421261b4c/responses-0.14.0-py2.py3-none-any.whl

But I must not use .whl files, only the source tar.gz files...

[dimbleby]

poetry install -vvv and look at the output?

[HydraCro]

The log from my first issue is that output, but here is the complete log: https://gist.github.com/HydraCro/586b7f49f6d4b3feb96c47d166f644e9

[dimbleby]

you either didn't type enough vs or for some reason filtered out all the logs saying "Skipping wheel <whatever.whl> as requested in no binary policy for package"

there is still no reason to believe that the installer is installing binary wheels.

[HydraCro]

No -vs are skipped and no filtering has been made to output, full log is linked to in my previous comment. I believe I gave all the evidence stating that .whl files are still being used since SBOM file also points to the .whl files instead of the .tar.gz archives.

[dimbleby]

Your SBOM tool has nothing to do with poetry. I suppose it is likely looking in the poetry lock file: the inclusion of .whl files there still provides no evidence whatsoever of what the poetry installer is doing at install time.

There continues to be no reason to believe that poetry is installing binary wheels when told not to.

[HydraCro]

Why do we have .whl files listed in lock file if they are not being used? Is there even a way then to stop poetry from using .whl files whatsoever? And if -vvv is not providing enough info with Source (PyPI): Downloading: https://files.pythonhosted.org/packages/7b/9b/d4f61d21bf2c9a653d02bf5ef8910c03e0cbc876db5eebae358421261b4c/responses-0.14.0-py2.py3-none-any.whl that .whl files are being downloaded and used, what would provide enough info?

Lets wait and see if someone else also has some input or they experienced similar issue before.

[dimbleby]

suggest that you add the logs that you would like to see in poetry, use them to verify that poetry is behaving correctly, and then submit a merge request so that others can do the same.

Chooser.choose_for(package) is the code you'll want to tweak