Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keyring as optional dependency? #1008

Closed
ax3l opened this issue Aug 21, 2023 · 5 comments
Closed

keyring as optional dependency? #1008

ax3l opened this issue Aug 21, 2023 · 5 comments

Comments

@ax3l
Copy link

ax3l commented Aug 21, 2023
edited
Loading

Your Environment

  1. Your operating system:

Ubuntu 20.04 on PPC64le

  1. Version of python you are running:

3.8 - 3.11

  1. How did you install twine? Did you use your operating system's package manager or pip or something else?

pip

  1. Version of twine you have installed (include complete output of):

latest

  1. Which package repository are you targeting?

PyPI.org

The Issue

I am trying to upload my new ppc64le wheels with twine from Travis-CI (OSS-free partner queue sponsored by IBM). It looks like installing twine pulls cryptography through keyring as an unconditional dependency.

That install fails because on ppc64le there is no wheel for cryptography and then it falls back to a from-source build (Cryptography requires Rust >=1.41.0 which is hard to get on Ubuntu 20.04).

The Cryptography people (cc @reaperhulk) pointed me here, because they think the problem can be solved by making keyring an optional dependency of twine.

Steps to Reproduce

See: pyca/cryptography#6086
@sigmavirus24
Copy link
Member

Duplicate of #837

@sigmavirus24 sigmavirus24 marked this as a duplicate of #837 Aug 22, 2023
@ax3l
Copy link
Author

ax3l commented Aug 22, 2023
edited
Loading

That issue does not address the problem that twine cannot be deployed anymore to Linux ppc64le. What is your solution?

How am I supposed to upload wheels on/for ppc64le, a fully supported platform for pip and pypi?

@sigmavirus24
Copy link
Member

As I said here #837 (comment) making keyring optional is not an option.

Many good CI platforms enable separate build stages and upload stages so you can build your artifacts on whatever environments you care about and then upload them all at the same time.

In other words, this should be fixable in your configuration of your Travis CI matrix such that the ppc64le platform builds the wheel for you and another step with an architecture supported by cryptography and cffi runs the upload with twine. I strongly suggest exploring this option.

Alternatively, I believe many of the new generation of packaging tools all to various degrees have their own upload integration for PyPI and could potentially serve you well as well. Especially if you're already using one.

Twine's one job has always been to make uploads as secure as we can. Keyring is a dependency that allows us to do just that and it's not an unreasonable dependency for what it does.

@ax3l
Copy link
Author

ax3l commented Aug 22, 2023
edited
Loading

Many good CI platforms enable separate build stages and upload stages so you can build your artifacts on whatever environments you care about and then upload them all at the same time.

In other words, this should be fixable in your configuration of your Travis CI matrix such that the ppc64le platform builds the wheel for you and another step with an architecture supported by cryptography and cffi runs the upload with twine. I strongly suggest exploring this option.

Interesting suggestion. Honest question: which CI platforms support architecture swaps between build stages? And which of those support something else than x86 and arm?

Update: ok, docs where not helpful but I found an issue documenting it (from a former colleague, thanks @Flamefire :D)
travis-ci/travis-ci#10230

Alternatively, I believe many of the new generation of packaging tools all to various degrees have their own upload integration for PyPI and could potentially serve you well as well. Especially if you're already using one.

At least cibuildwheel also relies on twine:
https://cibuildwheel.readthedocs.io/en/stable/deliver-to-pypi/

Which packaging tools are you referring to?

Twine's one job has always been to make uploads as secure as we can. Keyring is a dependency that allows us to do just that and it's not an unreasonable dependency for what it does.

cc @reaperhulk just FYI. Your suggestion in pyca/cryptography#6086 is not workable for twine. If we can revisit this ticket to build cryptography on Ubuntu ppc64le workers that would help me a lot :)

@ax3l ax3l mentioned this issue Aug 22, 2023
Open
@sigmavirus24
Copy link
Member

At least cibuildwheel also relies on twine:

They document that you should use twine. If you take a very short amount of time (it took me less than 30s) you'll see it doesn't depend on it or install it for you https://github.com/search?q=repo%3Apypa%2Fcibuildwheel%20twine&type=code

Which packaging tools are you referring to?

hatch, poetry, etc.

Interesting suggestion. Honest question: which CI platforms support architecture swaps between build stages? And which of those support something else than x86 and arm?

Travis used to but they completely failed to manage abuse on their platform and had to shutdown a bunch of features. Their documentation was never great anyway, so not surprised you can't find it there.

@pypa pypa locked as resolved and limited conversation to collaborators Aug 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sigmavirus24 @ax3l