Skip to main content

"devpi-constrained: an index for devpi-server that provides a constrained list of packages from it's bases"

Project description

devpi-constrained: releases filter for devpi-server

This plugin adds a constrained index to devpi-server. The constrained index is read-only and filters releases from its bases similar to Constraints Files in pip.

Installation

devpi-constrained needs to be installed alongside devpi-server to enable constrained indexes.

You can install it with:

pip install devpi-constrained

There is no configuration needed as devpi-server will automatically discover the plugin through calling hooks using the setuptools entry points mechanism.

Motivation

It is often useful to filter Python packages available for installation. For example:

  • Filter package versions with known security issues

  • Provide a “Known Good Set” of packages which have been tested

  • Prevent installation of packages with incompatible licenses

  • Only allowing vetted packages

  • Block package versions with breaking changes

With devpi-constrained it is possible to provide a package index which enables all of the above and more.

Usage

Create a constrained index with root/pypi as base:

$ devpi index -c prod/devpi type=constrained bases=root/pypi
https://example.com/prod/devpi:
  type=constrained
  bases=root/pypi
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  constraints=
  mirror_whitelist=

$ devpi use prod/devpi

With no constraints set, all releases are available from root/pypi.

Lets add a constraint for pip:

$ devpi index constraints+="pip==6.0"
/prod/devpi constraints+=pip==6.0
https://example.com/prod/devpi?no_projects=:
  type=constrained
  bases=root/pypi
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  constraints=pip==6.0
  mirror_whitelist=

Now only pip 6.0 will be listed when looking for releases of pip:

$ devpi list --all pip
http://localhost:3141/root/pypi/+f/610/3897f1bb68d3f/pip-6.0.tar.gz
http://localhost:3141/root/pypi/+f/5ec/6732505bd8be4/pip-6.0-py2.py3-none-any.whl

All other packages are still unconstrained.

To block everything else we add the * constraint:

$ devpi index constraints+="*"
/prod/devpi constraints+=*
https://example.com/prod/devpi?no_projects=:
  type=constrained
  bases=root/pypi
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  constraints=pip==6.0,*
  mirror_whitelist=

This is the difference to pip constraints, where this isn’t possible.

$ devpi list --all devpi-server
GET https://example.com/prod/devpi/devpi-server/
404 Not Found: no project 'devpi-server'

The constraints option can be set in bulk from a file. Create a file constraints.txt with each constraint in one line:

pip<8,>4
# a comment
devpi-server>=4

Set the constraints option on your index from the file:

$ devpi index constraints="$(cat constraints.txt)"

Changelog

2.0.1 - 2023-03-18

  • Fix filtering of simple links page. [EvaSDK (Gilles Dartiguelongue)]

2.0.0 - 2023-02-21

  • Remove support for Python <= 3.6.

  • Add testing for Python 3.8, 3.9, 3.10, 3.11 and PyPy-3.7.

  • Require devpi-server >= 6.2.0.

1.0.0 - 2019-08-05

  • Initial release. [fschulze (Florian Schulze)]

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

devpi-constrained-2.0.1.tar.gz (9.1 kB view hashes)

Uploaded Source

Built Distribution

devpi_constrained-2.0.1-py3-none-any.whl (5.6 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page