Fedora Account System
Red Hat Associate
Red Hat Customer
Description of problem: If fingerprint auth is enabled, and attempt to use pip (e.g. `pip install --user <something>`) results in showing a keyring unlock window for every package it tries to download. The problems are: 1) It does not need any keyring to download for PyPI 2) It does not accept ANY password I tried moving away /usr/bin/gnome-keyring-manager to prevent it from starting, but then pip just hangs. Version-Release number of selected component (if applicable): python3-pip-19.3.1-3.fc32.noarch python3-keyring-21.2.0-1.fc32.noarch gnome-keyring-3.36.0-1.fc32.x86_64 How reproducible: always Steps to Reproduce: 1. Enable fingerprint auth and login with it 2. `pip install --user gertty` Actual results: Repeating keyring requests on each dependency; no password is accepted. Before each package you see: WARNING: Keyring is skipped due to an exception: Failed to unlock the collection! WARNING: Keyring is skipped due to an exception: Failed to unlock the collectio Expected results: Package is installed. The keyring password is requested only once and only if credentials are needed. Additional info:
The only workaround I could find is to open /usr/lib/python3.8/site-packages/keyring/core.py and comment out init_backend() in the bottom of the file. I guess the issue here is spread between gnome-keyring, python-keyring and pip, but at the very least pip should NOT try to invoke keyring each time if it failed 2x already.
pip does not depend on python3-keyring, but when it is installed, it uses it: See https://github.com/pypa/pip/pull/5952/files However, "WARNING: Keyring is skipped due to an exception: " should be harmless. Maybe this is https://github.com/pypa/pip/issues/7998 ? Dmitry, if I provide you a patched build, would you be able to try it out?
Note that I cannot reproduce this bug with the same package versions.
Please attach the log generated by: $ pip install --user -vvv gertty | tee piplog
I've opened https://github.com/pypa/pip/issues/8613 for upstream, because I think that querying the keyring for each pypi URL is not good.
Created attachment 1702074 [details] piplog > Dmitry, if I provide you a patched build, would you be able to try it out? Totally > "WARNING: Keyring is skipped due to an exception: " should be harmless. It is, but asking me for a password I don't know is :) It's a whole different story why my keyring password is different from my login password.. Attaching "pip install --user -vvv gertty --ignore-installed 2>&1 | tee ~/piplog". Note that the warning message is different because I've butchered python-keyring.
> It is, but asking me for a password I don't know is :) Well, yes. I've showcased this at https://github.com/pypa/pip/issues/8613#issuecomment-662394127 It appears to be a duplicate: https://github.com/pypa/pip/issues/8090
I've proposed a solution to upstream in https://github.com/pypa/pip/pull/8687
Dmitry, please do test a partial workaround. Navigate to https://src.fedoraproject.org/rpms/python-pip/pull-request/70 -- in the right column follow the most recent simple-koji-ci link (there is just one now), follow buildArch (python-pip-19.3.1-4.fc32.src.rpm, noarch) in the middle, and get the python3-pip-19.3.1-4.fc32.noarch.rpm file to install. Currently, that boils down to: $ sudo dnf upgrade https://kojipkgs.fedoraproject.org//work/tasks/5205/49085205/python3-pip-19.3.1-4.fc32.noarch.rpm With this workaround applied, you should be prompted for the keyring password just once per `pip install`. If that is (not) the case, let me know. A more complete fix is not yet ready and might be part of some future pip version (I'm trying to deal with that on upstream side, but there are a lot of places this can make worse, so the approach is cautious.
> With this workaround applied, you should be prompted for the keyring password just once per `pip install` I can confirm this with the provided package, thank you!
FEDORA-2020-5be1350459 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5be1350459
FEDORA-2020-5be1350459 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5be1350459` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5be1350459 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-5be1350459 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.