Story #2041
closed
As a user, I can whitelist packages to sync with standard python syntax
100%
Description
This story is to use the syntax from python requirements[0] files to specify which packages should be synced. This story does NOT include directly uploading a requirements.txt (though that feature could be discussed in another issue)
Note:
It doesn't make sense for Pulp to support all of the possible syntaxes in a requirements file (like specifying a local file).
Background:¶
At the time of writing, pulp-python only supports a whitelist of project names, but this whitelist should become more granular and flexible.
Specifiers [1][2]¶
It would be ideal to support multiple levels of filtering:
- project name
- version specifiers (including gt, lt, range)
- specific python distributions (specified by hash) [3]
Allowing users to specify python distributions by hashes [3] will significantly improve 2 of our use cases:
- reproducible, deterministic builds
- improved security
Related Ideas:¶
These ideas are related to the implementation of this story, but if they are accepted, they should be filed separately.
- Create a whitelist from a requirements.txt
- Create a whitelist from a Pipfile (pipenv)
- Create a whitelist from a Pipfile.lock (pipenv)
- Create a whitelist from a python toml file
[0]: https://pip.pypa.io/en/stable/user_guide/#requirements-files
[1]: https://www.python.org/dev/peps/pep-0440/
[2]: https://www.python.org/dev/peps/pep-0508/
[3]: https://pip-python3.readthedocs.io/en/latest/reference/pip_install.html#hash-checking-mode
Related issues
Updated by amacdona@redhat.com almost 8 years ago
- Related to Story #138: As a user, I can express how many old versions of a package to keep during sync added
Updated by amacdona@redhat.com almost 8 years ago
requirements.txt format is also the output of `pip freeze`, so it would be very simple to convert an environment into a repository.
Updated by amacdona@redhat.com almost 8 years ago
- Subject changed from As a user, I can pass package names as requirements.txt to As a user, I can pass project names as requirements.txt
Updated by semyers almost 8 years ago
- Groomed changed from No to Yes
Whoa this is a cool idea. I love it.
Does pip make it easy to get at the requirements.txt parser so we don't have to write one? :)
Updated by amacdona@redhat.com almost 8 years ago
- Sprint Candidate changed from No to Yes
Updated by bizhang over 7 years ago
- Status changed from NEW to POST
- Assignee set to bizhang
Updated by pcreech over 7 years ago
- Status changed from POST to NEW
- Assignee deleted (
bizhang)
Updated by amacdona@redhat.com over 7 years ago
- Sprint Candidate changed from Yes to No
Updated by amacdona@redhat.com almost 6 years ago
- Subject changed from As a user, I can pass project names as requirements.txt to As a user, I can whitelist packages to sync with standard python syntax
- Description updated (diff)
Updated by amacdona@redhat.com almost 6 years ago
- Related to Story #2040: As a user, I can choose which package types to sync added
Updated by bizhang almost 6 years ago
- Related to deleted (Story #138: As a user, I can express how many old versions of a package to keep during sync)
Updated by bizhang almost 6 years ago
- Status changed from NEW to POST
- Assignee set to bizhang
Added by werwty almost 6 years ago
Updated by werwty almost 6 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset fecf6314947b57a8fcfd2692b52b92ac720e659a.
.
As a user, I can whitelist packages to sync with standard python syntax
closes #2041 https://pulp.plan.io/issues/2041