pipx: pipx install doesn't prompt for credentials for private vcs url

Describe the bug Regular pipx install command doesn’t work for private vcs urls that require authentication. Running pipx install --spec git+https://<some_private_repo>.git <package_name> does not prompt the user for username and password. If the --verbose option is provided, it works fine.

How to reproduce Run above command using a private vcs url (e.g. github, gitlab, bitbucket) and do not use --verbose.

Expected behavior Should prompt user for credentials, even when --verbose is not used.

Environment

$ python3 --version
Python 3.6.8
$ pipx --version
0.14.0.0
$ head -n 2 /etc/os-release
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
$ uname -srm
Linux 4.15.0-64-generic x86_64

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 5
  • Comments: 24 (15 by maintainers)

Most upvoted comments

This is also an issue for private package feeds requiring credentials, eg an Azure artifacts feed

It neither prompts, or works with artifacts-keyring like pip does

+3
venaturum on Feb 4, 2021

I’m running into a similar issue when trying to install from a private registry or index-url (e.g., github/gitlab/artifactory/etc) that requires authentication.

In my case, I’m using keyring to store the credentials required, and pip will automatically use keyring if available. A typical pip based workflow would be python -m venv .venv && source .venv/bin/activate && pip install keyring && pip install -i https://authenticated.example.com/pypi/simple some-package-name.

In order to achieve something similar with pipx, pipx should have a mechanism to (pre?) inject packages (keyring, artifacts-keyring, etc) into an app’s venv before the app itself is installed.

+2
mithun on Apr 4, 2021

Yes, it animates forever and never completes. As for a solution, a good compromise might be to disable animations when the --spec argument is used. If that’s not an option I’d lean towards a --no-anims type flag or env var to disable animations, as using --verbose is not that intuitive, I only discovered that worked while trying to debug the issue.

It would of course be nice if pipx could detect when user prompts occur and drop out of the animation when they do, but that sounds like it would require considerable effort.

btw, pipx is great, the Python ecosystem has needed this for years, too many people try to force pip and pypi into this role and it causes a lot of confusion. Keep up the great work.

+2
alexkillen on Sep 19, 2019

Pip 23.1 allows you to configure it so it will use the keyring library even when --no-input is used. Now that that is possible I am of the opinion that Pipx should use --no-input unless --verbose is passed.

Alternatively passing -qqqqq and --log to Pip and a more complicated animation implementation might also be a direction that can be explored.

I am working on a PR for --no-input strategy. The test are giving me some trouble on Python < 3.11, so feel free to nerd-snipe me!

+1
Darsstar on Apr 20, 2023

As a workaround, one can include the username:password or personal access token in the package in the package index URL, see PIP documentation:

 PIP_EXTRA_INDEX_URL=https://username:password@pypi.company.com/simple pipx install my-package
+1
martina-oefelein on Mar 5, 2023

@uranusjr Oh God, I accidentally left out the word “not” 😂 Definitely not easy!!

+1
MrPointer on Jun 28, 2021

Had a quick check through the pipenv source and it looks like it’s using this: https://github.com/sarugaku/vistir#spinner

+1
alexkillen on Sep 24, 2019
Read more comments on GitHub
← pipx: pipx enters in infinite loop when trying to install a package on python distributed with MSYS2 on Windows
pipx: Pipx managing itself is broken on windows →