-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
publishing succeeds when endpoint returns an HTTP 3xx #3600
Comments
It appears that I didn't search hard enough. Some context for the current state of this long standing issue. ContextAs I am posting this comment, the current released version of python -m pip install "git+https://github.com/python-poetry/poetry.git" Previous issuesThis bug is mentioned in at least these issues:
It's indirectly mentioned in: Response to those issuesThis comment on #858 mentions that the issue was fixed in the pull request #2285. This comment on #239 mentions that the issue was fixed in the commit 9035140, which is probably referencing this specific area of changes in that commit. This issue is addressed by pull request #1310, which was canceled in favor of the pull request #1342, which contains comments from some of the maintainers:
This comment on #742 again points to commit 9035140. Intended fixesAs seen in the duscussion on #1342, the correct behaviour would be for Explanation of intended fixesPull request #1342 implemented a change to allow The reasoning behind returning an error as opposed to automatically following the redirect is two-fold: First, this comment on pypa/twine#92 mentions that the This is the area in the source code for This problem with Secondly, following a redirect would currently mean resubmitting authentication data and one or more package distribution files to a new URL. If this redirect were issued by a malicious entity, that would allow them to capture this data, without the person running the This is mentioned in this area of My thoughtsI agree that raising a detailed and helpful error is the most correct thing to do, both in the interest of security, and in the interest of helping raise awareness as soon as possible of something that could be a bug in configuration. I also think that the current behaviour of both Finally, I agree with the author of #1342 that the URLs in the documentation on specifying repositories should be updated to use a Closing |
To be clear, this bug still exists as demonstrated, both in |
I think this bug still exists in Poetry v1.1.13. My use case is:
Now Please note that both output and return status of |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
I am on the latest Poetry version.
I have searched the issues of this repo and believe that this is not a duplicate.
If an exception occurs when executing a command, I executed it again in debug mode (
-vvv
option).OS version and name: Debian 10 "buster"
Poetry version: 1.1.4 and git
Link to a Gist with the contents of your
pyproject.toml
file: not applicabletl;dr
Issue
I was trying to use
poetry
to upload packages to the PyPI Test instance, and couldn't figure out howpoetry
could report a successful publish without my packages showing up on test.pypi.org anywhere.I was missing a
/
character at the end of the URL, and PyPI was returning an HTTP 308 redirect to the same URL, with the/
at the end:This bug is reproducible with test URLs like https://httpbin.org/status/399
This may be related to #3198.
I'm very sorry, I haven't dug into this.
Solution / Workaround
poetry
behaves as expected when the repository url is a valid PyPI Legacy Upload API endpoint.In short, I was missing a
/
character at the end of the URL.The text was updated successfully, but these errors were encountered: