Project

Profile

Help

Story #2041

Updated by amacdona@redhat.com over 6 years ago

This story `requirements.txt` is to use the syntax from python requirements[0] files standard way to specify which packages should list pip installable requirements, it would be synced. This story does NOT include directly uploading a requirements.txt (though very convenient and intuitive to Python folks if we could consume that feature could be discussed in another issue) standard. 

 Note: 
 It doesn't make sense for Pulp to support all of the possible syntaxes in a requirements file (like specifying a local file).  

 h3. Background: 

 At the time of writing, pulp-python only supports a whitelist of project names, but this whitelist should become more granular and flexible. 

 h3. Specifiers [1][2] 

 It would be ideal to support multiple levels of filtering: 
 * project name 
 * Requirements files can also pin version specifiers (including gt, lt, range) 
 * specific python distributions (specified by hash) [3] 

 Allowing users to specify python distributions by hashes [3] will significantly improve 2 of our use cases: 
 * reproducible, deterministic builds 
 * improved security 

 h3. Related Ideas: 

 These ideas are related to the implementation of this story, but if they are accepted, they numbers, so https://pulp.plan.io/issues/138 should be filed separately. 
 # Create a whitelist from a requirements.txt  
 # Create a whitelist from a Pipfile (pipenv) 
 # Create a whitelist from a Pipfile.lock (pipenv) 
 # Create a whitelist from a python toml file 

 [0]: https://pip.pypa.io/en/stable/user_guide/#requirements-files 
 [1]: https://www.python.org/dev/peps/pep-0440/ 
 [2]: https://www.python.org/dev/peps/pep-0508/ 
 [3]: https://pip-python3.readthedocs.io/en/latest/reference/pip_install.html#hash-checking-mode considered as well.

Back