Project

Profile

Help

Story #2041

Updated by amacdona@redhat.com over 1 year ago

This story `requirements.txt` is to use the syntax from python requirements[0] files standard way to specify which packages should list pip installable requirements, it would be synced. This story does NOT include directly uploading a requirements.txt (though very convenient and intuitive to Python folks if we could consume that feature could be discussed in another issue) standard.

Note:
It doesn't make sense for Pulp to support all of the possible syntaxes in a requirements file (like specifying a local file).

h3. Background:

At the time of writing, pulp-python only supports a whitelist of project names, but this whitelist should become more granular and flexible.

h3. Specifiers [1][2]

It would be ideal to support multiple levels of filtering:
* project name
*
Requirements files can also pin version specifiers (including gt, lt, range)
* specific python distributions (specified by hash) [3]

Allowing users to specify python distributions by hashes [3] will significantly improve 2 of our use cases:
* reproducible, deterministic builds
* improved security

h3. Related Ideas:

These ideas are related to the implementation of this story, but if they are accepted, they
numbers, so https://pulp.plan.io/issues/138 should be filed separately.
# Create a whitelist from a requirements.txt
# Create a whitelist from a Pipfile (pipenv)
# Create a whitelist from a Pipfile.lock (pipenv)
# Create a whitelist from a python toml file

[0]: https://pip.pypa.io/en/stable/user_guide/#requirements-files
[1]: https://www.python.org/dev/peps/pep-0440/
[2]: https://www.python.org/dev/peps/pep-0508/
[3]: https://pip-python3.readthedocs.io/en/latest/reference/pip_install.html#hash-checking-mode
considered as well.

Back