Story #2041
closedAs a user, I can whitelist packages to sync with standard python syntax
100%
Description
This story is to use the syntax from python requirements[0] files to specify which packages should be synced. This story does NOT include directly uploading a requirements.txt (though that feature could be discussed in another issue)
Note:
It doesn't make sense for Pulp to support all of the possible syntaxes in a requirements file (like specifying a local file).
Background:¶
At the time of writing, pulp-python only supports a whitelist of project names, but this whitelist should become more granular and flexible.
Specifiers [1][2]¶
It would be ideal to support multiple levels of filtering:
- project name
- version specifiers (including gt, lt, range)
- specific python distributions (specified by hash) [3]
Allowing users to specify python distributions by hashes [3] will significantly improve 2 of our use cases:
- reproducible, deterministic builds
- improved security
Related Ideas:¶
These ideas are related to the implementation of this story, but if they are accepted, they should be filed separately.
- Create a whitelist from a requirements.txt
- Create a whitelist from a Pipfile (pipenv)
- Create a whitelist from a Pipfile.lock (pipenv)
- Create a whitelist from a python toml file
[0]: https://pip.pypa.io/en/stable/user_guide/#requirements-files
[1]: https://www.python.org/dev/peps/pep-0440/
[2]: https://www.python.org/dev/peps/pep-0508/
[3]: https://pip-python3.readthedocs.io/en/latest/reference/pip_install.html#hash-checking-mode
Related issues
As a user, I can whitelist packages to sync with standard python syntax
closes #2041 https://pulp.plan.io/issues/2041