Today I Learned: 12/04/2023 - Using a newer poetry (in 2023) with pypiserver

I recently moved our corporate Python package index from devpi to pypiserver - devpi was great but was more complex and configurable than our simple needs require.

I almost immediately ran into a problem with poetry though - third-party installs on existing codebases were failing with an error indicating the package was not listed in the poetry.lock file. I “fixed” this issue with a hack by configuring poetry to not use its “experimental” new installer, which despite the name is neither new nor experimental any more. This triggered warnings from poetry but did work.

I realised today though that I was putting a bandaid on the wrong problem - the actual issue is that pypiserver is configured by default to use an MD5 hash, while poetry is expecting a more modern SHA256. The more correct fix is to have pypiserver use SHA256, by passing “–hash-algo=sha256” to pypiserver. This can safely be applied to an existing pypiserver by restarting it with this command and the pypiserver should retain existing packages (as per this Github discussion). I have made this change to my pypiserver and reverted my poetry to use the experimental new installer again and everything works as expected.