"devpi-constrained: an index for devpi-server that provides a constrained list of packages from it's bases"
Project description
devpi-constrained: releases filter for devpi-server
This plugin adds a constrained index to devpi-server. The constrained index is read-only and filters releases from its bases similar to Constraints Files in pip.
Installation
devpi-constrained needs to be installed alongside devpi-server to enable constrained indexes.
You can install it with:
pip install devpi-constrained
There is no configuration needed as devpi-server will automatically discover the plugin through calling hooks using the setuptools entry points mechanism.
Motivation
It is often useful to filter Python packages available for installation. For example:
Filter package versions with known security issues
Provide a “Known Good Set” of packages which have been tested
Prevent installation of packages with incompatible licenses
Only allowing vetted packages
Block package versions with breaking changes
With devpi-constrained it is possible to provide a package index which enables all of the above and more.
Usage
Create a constrained index with root/pypi as base:
$ devpi index -c prod/devpi type=constrained bases=root/pypi
https://example.com/prod/devpi:
type=constrained
bases=root/pypi
volatile=True
acl_upload=root
acl_toxresult_upload=:ANONYMOUS:
constraints=
mirror_whitelist=
$ devpi use prod/devpi
With no constraints set, all releases are available from root/pypi.
Lets add a constraint for pip:
$ devpi index constraints+="pip==6.0"
/prod/devpi constraints+=pip==6.0
https://example.com/prod/devpi?no_projects=:
type=constrained
bases=root/pypi
volatile=True
acl_upload=root
acl_toxresult_upload=:ANONYMOUS:
constraints=pip==6.0
mirror_whitelist=
Now only pip 6.0 will be listed when looking for releases of pip:
$ devpi list --all pip
http://localhost:3141/root/pypi/+f/610/3897f1bb68d3f/pip-6.0.tar.gz
http://localhost:3141/root/pypi/+f/5ec/6732505bd8be4/pip-6.0-py2.py3-none-any.whl
All other packages are still unconstrained.
To block everything else we add the * constraint:
$ devpi index constraints+="*"
/prod/devpi constraints+=*
https://example.com/prod/devpi?no_projects=:
type=constrained
bases=root/pypi
volatile=True
acl_upload=root
acl_toxresult_upload=:ANONYMOUS:
constraints=pip==6.0,*
mirror_whitelist=
This is the difference to pip constraints, where this isn’t possible.
$ devpi list --all devpi-server
GET https://example.com/prod/devpi/devpi-server/
404 Not Found: no project 'devpi-server'
The constraints option can be set in bulk from a file. Create a file constraints.txt with each constraint in one line:
pip<8,>4 # a comment devpi-server>=4
Set the constraints option on your index from the file:
$ devpi index constraints="$(cat constraints.txt)"
Changelog
2.0.1 - 2023-03-18
Fix filtering of simple links page. [EvaSDK (Gilles Dartiguelongue)]
2.0.0 - 2023-02-21
Remove support for Python <= 3.6.
Add testing for Python 3.8, 3.9, 3.10, 3.11 and PyPy-3.7.
Require devpi-server >= 6.2.0.
1.0.0 - 2019-08-05
Initial release. [fschulze (Florian Schulze)]
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for devpi_constrained-2.0.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a9d0cb4105f802d9f7634cfffc544e74b41aa69e0aa5c1bed106a5831c25f755 |
|
MD5 | 477ae321be320452afad0f77e7f25f1b |
|
BLAKE2b-256 | 0428d4307eedaf7864e3ebb24758a58d830ae6095fa968dbb8560901ce1503ee |