pip: Pip install from internal pypi server containing git links fails with pypi 19.1

Environment

pip version: 19.1
Python version: Python 3.6.7
OS: Ubuntu 18.04

Description We have pypi server that contains links to git:

git+ssh://<url>.git@0.1.0.201810251140#egg=<package>-0.1.0.201810251140

pip install <package> fails with

  GitLab: The project you were looking for could not be found.
  fatal: Could not read from remote repository.

  Please make sure you have the correct access rights
  and the repository exists.

Expected behavior pip install <package> has been working and does work if I install pip<19.1

How to Reproduce

To reproduce this one needs local pypi server.

Add git+ssh://<url>.git@0.1.0.201810251140#egg=<package>-0.1.0.201810251140 style link to pypi server where that version number is a git tag.

Then:

virtualenv --python python3 env
. env/bin/activate
pip install 'pip==19.1'
pip install -vvv <package>

Output:

git clone -q ssh://<url>.git%400.1.0.201810251140 <temp>

Running same with pip<19.1 outputs

git clone -q ssh://<local_path>.git <temp>

It looks like the problem is that %400.1.0.201810251140 left in the git link.

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 1
Comments: 17 (9 by maintainers)

Commits related to this issue

Rename news to refer to #6437 — committed to cedk/pip by cedk 5 years ago
Protect `@` as safe character when cleaning URLs Remote URLs that contain a link to a git repository and a tag reference will have the `@` character converted into `%40`. This is incorrect. Fixes: #... — committed to nicolasbock/pip by nicolasbock 5 years ago

Most upvoted comments

Yes, I think so.

cjerdonek on Apr 26, 2019

@cwharland Could you create a separate issue? It sounds like it is also caused by #6245 but it’s different than the issue with git+ssh URLs. Thanks!

nicolasbock on Apr 24, 2019

We are hitting this as well. In our case the private pypi is backed by AWS s3 and uses pre-signed s3 URLs as download links. for pip < 19.1 this works for us while for 19.1 we get 403. We can curl the links just fine.

I don’t believe our URLs are quoted upon return from our private pypi service that successfully allows pip to find all the versions. I’m a bit stumped as to the new valid format of the download URL.

cwharland on Apr 24, 2019