devpi-constrained 2.0.0

"devpi-constrained: an index for devpi-server that provides a constrained list of packages from it's bases"

devpi-constrained: releases filter for devpi-server

This plugin adds a constrained index to devpi-server. The constrained index is read-only and filters releases from its bases similar to Constraints Files in pip.

Installation

devpi-constrained needs to be installed alongside devpi-server to enable constrained indexes.

You can install it with:

pip install devpi-constrained

There is no configuration needed as devpi-server will automatically discover the plugin through calling hooks using the setuptools entry points mechanism.

Motivation

It is often useful to filter Python packages available for installation. For example:

• Filter package versions with known security issues

• Provide a “Known Good Set” of packages which have been tested

• Prevent installation of packages with incompatible licenses

• Only allowing vetted packages

• Block package versions with breaking changes

With devpi-constrained it is possible to provide a package index which enables all of the above and more.

Usage

Create a constrained index with root/pypi as base:

$ devpi index -c prod/devpi type=constrained bases=root/pypi
https://example.com/prod/devpi:
  type=constrained
  bases=root/pypi
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  constraints=
  mirror_whitelist=

$ devpi use prod/devpi

With no constraints set, all releases are available from root/pypi.

Lets add a constraint for pip:

$ devpi index constraints+="pip==6.0"
/prod/devpi constraints+=pip==6.0
https://example.com/prod/devpi?no_projects=:
  type=constrained
  bases=root/pypi
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  constraints=pip==6.0
  mirror_whitelist=

Now only pip 6.0 will be listed when looking for releases of pip:

$ devpi list --all pip
http://localhost:3141/root/pypi/+f/610/3897f1bb68d3f/pip-6.0.tar.gz
http://localhost:3141/root/pypi/+f/5ec/6732505bd8be4/pip-6.0-py2.py3-none-any.whl

All other packages are still unconstrained.

To block everything else we add the * constraint:

$ devpi index constraints+="*"
/prod/devpi constraints+=*
https://example.com/prod/devpi?no_projects=:
  type=constrained
  bases=root/pypi
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  constraints=pip==6.0,*
  mirror_whitelist=

This is the difference to pip constraints, where this isn’t possible.

$ devpi list --all devpi-server
GET https://example.com/prod/devpi/devpi-server/
404 Not Found: no project 'devpi-server'

The constraints option can be set in bulk from a file. Create a file constraints.txt with each constraint in one line:

pip<8,>4
# a comment
devpi-server>=4

Set the constraints option on your index from the file:

$ devpi index constraints="$(cat constraints.txt)"

Changelog

2.0.0 - 2023-02-21

• Remove support for Python <= 3.6.

• Add testing for Python 3.8, 3.9, 3.10, 3.11 and PyPy-3.7.

• Require devpi-server >= 6.2.0.

1.0.0 - 2019-08-05

• Initial release. [fschulze (Florian Schulze)]