qiskit-honeywell-provider depends on qiskit-terra (>=0.16.0) https://www.wheelodex.org/projects/qiskit-honeywell-provider/ which is reaching EoL:

I'm a Cyber Security researcher developing PackjGuard [1]. Our tool has detected a deleted dependency vulnerability in this repository.

The package qiskit-quantinuum-provider mentioned in file README at line 14 does not exist on the public Pypi registry. A bad actor can hijack this package to propagate malicious code.

Not only your apps/service is vulnerable to this attack, but users of your open-source Github repo are also vulnerable to this attack.

Please highlight this in file README and register a placeholder package for qiskit-quantinuum-provider on public Pypi soon to remediate.

Thanks!

PackjGuard is a Github app that monitors repos for malicious/vulnerable dependencies and mitigates attacks by creating pull requests for automatic remediation https://github.com/marketplace/packjguard

I'm reopening #26 as I still believe this to not be completely resolved.

• There still should be some update in the README file pertaining to using Honeywell over Quantinuum.
• Using the Honeywell provider still does not work (more details below):

Regarding being able to use the package, I have a question about usage. I see that the .save_account method naturally points to the Honeywell page for user login. Naturally, I'd rather use the qapi.quantinuum.com/ URL instead. I see that one can configure this (in principle) in the proxies variable

    import os
    from qiskit.providers.honeywell import Honeywell
    USERNAME = os.environ.get("QUANTINUUM_USERNAME")
    PASSWORD = os.environ.get("QUANTINUUM_PASSWORD")
    Honeywell.save_account(USERNAME, 
                           proxies = { 'urls': {'http':
                           f'http://{USERNAME}:{PASSWORD}@qapi.quantinuum.com/',
                           'https':
                           f'http://{USERNAME}:{PASSWORD}@qapi.quantinuum.com/'
                           } })

    backends = Honeywell.backends()
    backend = Honeywell.get_backend(machine)

However, this seems to fail is appears to be pointing to the Honeywell login link despite the fact that (I thought) I was configuring it to login to a different URL. I'm most likely doing something wrong, but is it obvious what that might be? Thank you again for your help!

Here is the error output upon trying to call the associated save_account method:

/Users/vincent.russo/Library/Caches/pypoetry/virtualenvs/benchmark-Is--SOOG-py3.11/lib/python3.11/site-packages/qiskit/providers/honeywell/__init__.py:38: FutureWarning: This is the final release of qiskit-honeywell-provider. It will be replaced by the qiskit-quantinuum-provider package in the future.
  warnings.warn("This is the final release of qiskit-honeywell-provider. "
Enter your password: 
Traceback (most recent call last):
  File "/Users/vincent.russo/Projects/resarch/unitary_fund/metriq-api/benchmark/benchmark/QC-App-Oriented-Benchmarks/quantum-fourier-transform/qiskit/qft_benchmark.py", line 427, in <module>
    backends = Honeywell.backends()
               ^^^^^^^^^^^^^^^^^^^^
  File "/Users/vincent.russo/Library/Caches/pypoetry/virtualenvs/benchmark-Is--SOOG-py3.11/lib/python3.11/site-packages/qiskit/providers/honeywell/honeywellprovider.py", line 92, in backends
    if not self._api.has_token():
           ^^^^^^^^^^^^^^^^^^^^^
  File "/Users/vincent.russo/Library/Caches/pypoetry/virtualenvs/benchmark-Is--SOOG-py3.11/lib/python3.11/site-packages/qiskit/providers/honeywell/api/honeywellclient.py", line 76, in has_token
    return bool(self.client_api.session.credentials.access_token)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/vincent.russo/Library/Caches/pypoetry/virtualenvs/benchmark-Is--SOOG-py3.11/lib/python3.11/site-packages/qiskit/providers/honeywell/api/session.py", line 96, in credentials
    self.update_auth()
  File "/Users/vincent.russo/Library/Caches/pypoetry/virtualenvs/benchmark-Is--SOOG-py3.11/lib/python3.11/site-packages/qiskit/providers/honeywell/api/session.py", line 89, in update_auth
    self.headers.update({'Authorization': self._credentials.access_token})
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/vincent.russo/Library/Caches/pypoetry/virtualenvs/benchmark-Is--SOOG-py3.11/lib/python3.11/site-packages/qiskit/providers/honeywell/credentials/credentials.py", line 146, in access_token
    return self._login()
           ^^^^^^^^^^^^^
  File "/Users/vincent.russo/Library/Caches/pypoetry/virtualenvs/benchmark-Is--SOOG-py3.11/lib/python3.11/site-packages/qiskit/providers/honeywell/credentials/credentials.py", line 274, in _login
    self._authenticate()
  File "/Users/vincent.russo/Library/Caches/pypoetry/virtualenvs/benchmark-Is--SOOG-py3.11/lib/python3.11/site-packages/qiskit/providers/honeywell/credentials/credentials.py", line 205, in _authenticate
    status_code, message = self._request_tokens(body)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/vincent.russo/Library/Caches/pypoetry/virtualenvs/benchmark-Is--SOOG-py3.11/lib/python3.11/site-packages/qiskit/providers/honeywell/credentials/credentials.py", line 155, in _request_tokens
    response = sess.post(
               ^^^^^^^^^^
  File "/Users/vincent.russo/Library/Caches/pypoetry/virtualenvs/benchmark-Is--SOOG-py3.11/lib/python3.11/site-packages/requests/sessions.py", line 635, in post
    return self.request("POST", url, data=data, json=json, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/vincent.russo/Library/Caches/pypoetry/virtualenvs/benchmark-Is--SOOG-py3.11/lib/python3.11/site-packages/qiskit/providers/honeywell/api/session.py", line 170, in request
    raise RequestsApiError(ex, message) from None
qiskit.providers.honeywell.api.exceptions.RequestsApiError: HTTPSConnectionPool(host='qapi.honeywell.com', port=443): Max retries exceeded with url: /v1/login (Caused by ProxyError('Cannot connect to prox

fyi @1ucian0 @mtreinish @chris-theroux

It appears as though one is unable to install the qiskit-quantinuum-provider package either via the PyPi server (as it is not present) or via Git. IOW, doing:

pip3 install qiskit-quantinuum-provider

is broken as the PyPi link is broken. Alternatively, attempting to install the package via Git, that is:

python -m pip install 'qiskit-quantinuum-provider @ git+ https://github.com/qiskit-community/qiskit-quantinuum-provider'

also fails. It seems as if the last commit to this project was at the end of March of 2023. Are there any plans to continue development on this project or has it been deprioritized? If the latter, are there any specific adaptations one would have to do in order to make use of this provider pattern within Qiskit?

fyi @mtreinish, @1ucian0 @chris-theroux

Information

• Qiskit Honeywell Provider version: Latest Version from github
• Python version: 3.9
• Qiskit Terra version: 0.19.1
• Operating system: Arch Linux 5.15.13

What is the current behavior?

Executing
from qiskit.providers.honeywell import Honeywell
gives ImportError: cannot import name 'validate_qobj_against_schema' from 'qiskit.qobj'

Steps to reproduce the problem

Do the import mentioned above with Qiskit Terra version 0.19.1.

What is the expected behavior?

Should import correctly

Suggested solutions

In this upgrade log, https://github.com/Qiskit/qiskit-terra/blob/d5094eeca27f2c0f3c13f23f1e812cd41b6108f2/releasenotes/notes/0.19/remove-schemas-ca9f3f2e0f08bca8.yaml , it suggests to manually building jsonschema
validation function. From a new user's perspective, it is not clear what to do exactly.

I'm a Cyber Security researcher developing PackjGuard [1]. Our tool has detected a deleted dependency vulnerability in this repository.

The package qiskit-quantinuum-provider mentioned in file README at line 14 does not exist on the public Pypi registry. A bad actor can hijack this package to propagate malicious code.

Not only your apps/service is vulnerable to this attack, but users of your open-source Github repo are also vulnerable to this attack.

Please highlight this in file README and register a placeholder package for qiskit-quantinuum-provider on public Pypi soon to remediate.

Thanks!

1. PackjGuard is a Github app that monitors repos for malicious/vulnerable dependencies and mitigates attacks by creating pull requests for automatic remediation https://github.com/marketplace/packjguard

The Qiskit's PyPI account is enabling 2FA on Oct 19. As a consequence, deploying this repo won longer be able to use password authentication for publishing this package to PyPI after this date. The best mechanism PyPI offers for publishing now is trusted publishers:

https://docs.pypi.org/trusted-publishers/using-a-publisher/

which authorizes a GitHub Action workflow to push to PyPI and bypasses the need for any user credentials.
So, this repo needs such a workflow. Take a look to other project as examples:

• .github/workflows/wheels.yml in https://github.com/Qiskit/qiskit/pull/10999/files
• .github/workflows/deploy-code.yml in https://github.com/qiskit-community/qiskit-machine-learning/pull/698/files

Once done, a manual linking process needs to be done in the web UI by @mtreinish .

Information

• Qiskit Honeywell Provider version: 0.1.0
• Python version: 3.9.5
• Operating system: archlinux 5.14.6

What is the current behavior?

When importing honeywell-provider with code

from qiskit.providers.honeywell import Honeywell

prompted with ModuleNotFound Error, "Marshmallow" not found

Steps to reproduce the problem

"pip install qiskit-honeywell-provider"
"from qiskit.providers.honeywell import Honeywell"

What is the expected behavior?

Provider should be imported without error

Suggested solutions

I manually install marshmallow using pip then everything works. Perhaps we should add it to the dependency file?

Information

I was wondering what the status of this package is? Is it meant to be currently operational?
Are there plans to have it in pypi?

• Qiskit Quantinuum Provider version: master
• Python version: 3.9.13
• Operating system: ubuntu 22.04

What is the current behavior?

Currently installing qiskit-quantinuum-provider via source (as shown in #27 ) seems to not work for me.

It seems that the package tries to establish/verify credentials on import. For example running from qiskit_quantinuum import Quantinuum from a command-line interpreter just gets stuck.
Running that from within a jupyter notebook brings out my browser's keyring dialog, which I can't seem to get through.

Assuming this package is actually meant to be operational(?), it could make sense to separate importing from any sort of account management. Since I can't import the package, I can't delete/load/save any account info.

Steps to reproduce the problem

run from qiskit_quantinuum import Quantinuum from a command-line interpreter.

What is the expected behavior?

import succeeds and one can run commands to manage account (i.e. login, delete, save)

Suggested solutions

would be good to have it clearly stated if this package is actually meant to be used.
Thanks!