devpi-constrained: releases filter for devpi-server
===================================================
This plugin adds a *constrained* index to `devpi-server`_.
The *constrained* index is read-only and filters releases from its bases similar to `Constraints Files`_ in `pip`_.
.. _devpi-server: http://pypi.python.org/pypi/devpi-server
.. _Constraints Files: https://pip.pypa.io/en/stable/user_guide/#constraints-files
.. _pip: https://pip.pypa.io/
Installation
------------
``devpi-constrained`` needs to be installed alongside ``devpi-server`` to enable *constrained* indexes.
You can install it with::
pip install devpi-constrained
There is no configuration needed as ``devpi-server`` will automatically discover the plugin through calling hooks using the setuptools entry points mechanism.
Motivation
----------
It is often useful to filter Python packages available for installation.
For example:
- Filter package versions with known security issues
- Provide a "Known Good Set" of packages which have been tested
- Prevent installation of packages with incompatible licenses
- Only allowing vetted packages
- Block package versions with breaking changes
With ``devpi-constrained`` it is possible to provide a package index which enables all of the above and more.
Usage
-----
Create a *constrained* index with ``root/pypi`` as base:
.. code-block::
$ devpi index -c prod/devpi type=constrained bases=root/pypi
https://example.com/prod/devpi:
type=constrained
bases=root/pypi
volatile=True
acl_upload=root
acl_toxresult_upload=:ANONYMOUS:
constraints=
mirror_whitelist=
$ devpi use prod/devpi
With no constraints set, all releases are available from ``root/pypi``.
Lets add a constraint for ``pip``:
.. code-block::
$ devpi index constraints+="pip==6.0"
/prod/devpi constraints+=pip==6.0
https://example.com/prod/devpi?no_projects=:
type=constrained
bases=root/pypi
volatile=True
acl_upload=root
acl_toxresult_upload=:ANONYMOUS:
constraints=pip==6.0
mirror_whitelist=
Now only ``pip 6.0`` will be listed when looking for releases of ``pip``:
.. code-block::
$ devpi list --all pip
http://localhost:3141/root/pypi/+f/610/3897f1bb68d3f/pip-6.0.tar.gz
http://localhost:3141/root/pypi/+f/5ec/6732505bd8be4/pip-6.0-py2.py3-none-any.whl
All other packages are still unconstrained.
To block everything else we add the ``*`` constraint:
.. code-block::
$ devpi index constraints+="*"
/prod/devpi constraints+=*
https://example.com/prod/devpi?no_projects=:
type=constrained
bases=root/pypi
volatile=True
acl_upload=root
acl_toxresult_upload=:ANONYMOUS:
constraints=pip==6.0,*
mirror_whitelist=
This is the difference to ``pip`` constraints, where this isn't possible.
.. code-block::
$ devpi list --all devpi-server
GET https://example.com/prod/devpi/devpi-server/
404 Not Found: no project 'devpi-server'
The ``constraints`` option can be set in bulk from a file.
Create a file ``constraints.txt`` with each constraint in one line::
pip<8,>4
# a comment
devpi-server>=4
Set the ``constraints`` option on your index from the file::
$ devpi index constraints="$(cat constraints.txt)"
Changelog
=========
2.0.1 - 2023-03-18
------------------
- Fix filtering of simple links page.
[EvaSDK (Gilles Dartiguelongue)]
2.0.0 - 2023-02-21
------------------
- Remove support for Python <= 3.6.
- Add testing for Python 3.8, 3.9, 3.10, 3.11 and PyPy-3.7.
- Require devpi-server >= 6.2.0.
1.0.0 - 2019-08-05
------------------
- Initial release.
[fschulze (Florian Schulze)]
Raw data
{
"_id": null,
"home_page": "https://github.com/fschulze/devpi-constrained",
"name": "devpi-constrained",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": "",
"keywords": "",
"author": "Florian Schulze",
"author_email": "mail@florian-schulze.net",
"download_url": "https://files.pythonhosted.org/packages/bd/2a/0828959cf510866e2a21a5d41c5ee0e1eea1cac592c8291ea3ca4d80a631/devpi-constrained-2.0.1.tar.gz",
"platform": null,
"description": "devpi-constrained: releases filter for devpi-server\n===================================================\n\nThis plugin adds a *constrained* index to `devpi-server`_.\nThe *constrained* index is read-only and filters releases from its bases similar to `Constraints Files`_ in `pip`_.\n\n.. _devpi-server: http://pypi.python.org/pypi/devpi-server\n.. _Constraints Files: https://pip.pypa.io/en/stable/user_guide/#constraints-files\n.. _pip: https://pip.pypa.io/\n\n\nInstallation\n------------\n\n``devpi-constrained`` needs to be installed alongside ``devpi-server`` to enable *constrained* indexes.\n\nYou can install it with::\n\n pip install devpi-constrained\n\nThere is no configuration needed as ``devpi-server`` will automatically discover the plugin through calling hooks using the setuptools entry points mechanism.\n\n\nMotivation\n----------\n\nIt is often useful to filter Python packages available for installation.\nFor example:\n\n- Filter package versions with known security issues\n- Provide a \"Known Good Set\" of packages which have been tested\n- Prevent installation of packages with incompatible licenses\n- Only allowing vetted packages\n- Block package versions with breaking changes\n\nWith ``devpi-constrained`` it is possible to provide a package index which enables all of the above and more.\n\n\nUsage\n-----\n\nCreate a *constrained* index with ``root/pypi`` as base:\n\n.. code-block::\n\n $ devpi index -c prod/devpi type=constrained bases=root/pypi\n https://example.com/prod/devpi:\n type=constrained\n bases=root/pypi\n volatile=True\n acl_upload=root\n acl_toxresult_upload=:ANONYMOUS:\n constraints=\n mirror_whitelist=\n\n $ devpi use prod/devpi\n\nWith no constraints set, all releases are available from ``root/pypi``.\n\nLets add a constraint for ``pip``:\n\n.. code-block::\n\n $ devpi index constraints+=\"pip==6.0\"\n /prod/devpi constraints+=pip==6.0\n https://example.com/prod/devpi?no_projects=:\n type=constrained\n bases=root/pypi\n volatile=True\n acl_upload=root\n acl_toxresult_upload=:ANONYMOUS:\n constraints=pip==6.0\n mirror_whitelist=\n\nNow only ``pip 6.0`` will be listed when looking for releases of ``pip``:\n\n.. code-block::\n\n $ devpi list --all pip\n http://localhost:3141/root/pypi/+f/610/3897f1bb68d3f/pip-6.0.tar.gz\n http://localhost:3141/root/pypi/+f/5ec/6732505bd8be4/pip-6.0-py2.py3-none-any.whl\n\nAll other packages are still unconstrained.\n\nTo block everything else we add the ``*`` constraint:\n\n.. code-block::\n\n $ devpi index constraints+=\"*\"\n /prod/devpi constraints+=*\n https://example.com/prod/devpi?no_projects=:\n type=constrained\n bases=root/pypi\n volatile=True\n acl_upload=root\n acl_toxresult_upload=:ANONYMOUS:\n constraints=pip==6.0,*\n mirror_whitelist=\n\nThis is the difference to ``pip`` constraints, where this isn't possible.\n\n.. code-block::\n\n $ devpi list --all devpi-server\n GET https://example.com/prod/devpi/devpi-server/\n 404 Not Found: no project 'devpi-server'\n\nThe ``constraints`` option can be set in bulk from a file.\nCreate a file ``constraints.txt`` with each constraint in one line::\n\n pip<8,>4\n # a comment\n devpi-server>=4\n\nSet the ``constraints`` option on your index from the file::\n\n $ devpi index constraints=\"$(cat constraints.txt)\"\n\nChangelog\n=========\n\n2.0.1 - 2023-03-18\n------------------\n\n- Fix filtering of simple links page.\n [EvaSDK (Gilles Dartiguelongue)]\n\n\n2.0.0 - 2023-02-21\n------------------\n\n- Remove support for Python <= 3.6.\n\n- Add testing for Python 3.8, 3.9, 3.10, 3.11 and PyPy-3.7.\n\n- Require devpi-server >= 6.2.0.\n\n\n1.0.0 - 2019-08-05\n------------------\n\n- Initial release.\n [fschulze (Florian Schulze)]\n\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "\"devpi-constrained: an index for devpi-server that provides a constrained list of packages from it's bases\"",
"version": "2.0.1",
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "0428d4307eedaf7864e3ebb24758a58d830ae6095fa968dbb8560901ce1503ee",
"md5": "477ae321be320452afad0f77e7f25f1b",
"sha256": "a9d0cb4105f802d9f7634cfffc544e74b41aa69e0aa5c1bed106a5831c25f755"
},
"downloads": -1,
"filename": "devpi_constrained-2.0.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "477ae321be320452afad0f77e7f25f1b",
"packagetype": "bdist_wheel",
"python_version": "3",
"requires_python": ">=3.7",
"size": 5620,
"upload_time": "2023-03-18T11:16:47",
"upload_time_iso_8601": "2023-03-18T11:16:47.623455Z",
"url": "https://files.pythonhosted.org/packages/04/28/d4307eedaf7864e3ebb24758a58d830ae6095fa968dbb8560901ce1503ee/devpi_constrained-2.0.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "bd2a0828959cf510866e2a21a5d41c5ee0e1eea1cac592c8291ea3ca4d80a631",
"md5": "74fd6ca74f45d137bc02fb348383eb94",
"sha256": "58c07c1615b1576e5cea66dca8e2c6eb9e28c59021ba74492f5abf642b286f1e"
},
"downloads": -1,
"filename": "devpi-constrained-2.0.1.tar.gz",
"has_sig": false,
"md5_digest": "74fd6ca74f45d137bc02fb348383eb94",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 9075,
"upload_time": "2023-03-18T11:16:48",
"upload_time_iso_8601": "2023-03-18T11:16:48.843160Z",
"url": "https://files.pythonhosted.org/packages/bd/2a/0828959cf510866e2a21a5d41c5ee0e1eea1cac592c8291ea3ca4d80a631/devpi-constrained-2.0.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-03-18 11:16:48",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "fschulze",
"github_project": "devpi-constrained",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"tox": true,
"lcname": "devpi-constrained"
}
JSON
