Project

Profile

Help

Story #4690

Implement package locking / digest specification

Added by dalley over 1 year ago. Updated over 1 year ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Target Release - Python:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:

Description

There are two primary ways that I can forsee implementing this.

  1. Either make a self-contained object that can be created from pipenv.lock, or something similar, which contains a full listing of all packages, their versions, and their digests being used, and allow it to be linked to the remote and supplement or take the place of the remote's own include and exclude settings when being used, or
  2. Make a separate field called "locked_versions", that would supplement or take the place of the includes or excludes fields when being used

Both of these designs would:

  • Simplify the sync codepaths dramatically
  • Enforce the fact that digests only make sense in the context of a single release
  • Provide more guarantees to the repo owner that when they are using digests for reproducability, they have a solid guarantee that the entire contents of the repository is the reproducable set

They would also:

  • Make it possible to simplify the format of "includes" and "excludes".
  • We could let them accept an array of requirements.txt-style strings instead of dictionaries. e.g. includes:='["django>=1,<=2.1,==2.3", "flask==2.0.1", "bottle~=3.2"]'
  • This might be a little harder to validate so maybe we wouldn't do this, but it's possible and I think it would make Pulp feel a lot more familiar
  • Open up the possibility for adding various strict modes
  • maybe in strict mode, you're only allowed to have one release per project (with or without providing digests)
  • maybe in strict mode, you're only allowed to have locked versions on the remote (no using includes/excludes), and providing hashes is enforced for all locked versions, similar to how pip behaves in hash-checking mode

Related issues

Related to Python Support - Story #4711: As a user, I can specify Remote.includes with a requirements.txtNEW

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>
Related to Python Support - Story #4713: As a user, I can specify Remote.includes with a pipenv.lock filesNEW

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>
Related to Python Support - Story #6929: As a User, I can configure Pulp Python remotes using a Bandersnatch config fileMODIFIED

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

History

#1 Updated by dalley over 1 year ago

  • Description updated (diff)

#2 Updated by dalley over 1 year ago

  • Description updated (diff)

#3 Updated by dalley over 1 year ago

  • Subject changed from Change the way digest specification works to better match how the ecosystem works to Implement package locking / digest specification
  • Description updated (diff)

#4 Updated by bmbouter over 1 year ago

  • Tags deleted (Pulp 3)

#5 Updated by dalley 2 months ago

  • Related to Story #6875: [Meta] Integrate with Bandersnatch added

#6 Updated by dalley 2 months ago

  • Related to Story #4711: As a user, I can specify Remote.includes with a requirements.txt added

#7 Updated by dalley 2 months ago

  • Related to Story #4713: As a user, I can specify Remote.includes with a pipenv.lock files added

#8 Updated by dalley about 2 months ago

  • Related to deleted (Story #6875: [Meta] Integrate with Bandersnatch)

#9 Updated by dalley about 2 months ago

  • Related to Story #6929: As a User, I can configure Pulp Python remotes using a Bandersnatch config file added

Please register to edit this issue

Also available in: Atom PDF