Story #2041

Updated by about 6 years ago

This story `requirements.txt` is to use the syntax from python requirements[0] files standard way to specify which packages should list pip installable requirements, it would be synced. This story does NOT include directly uploading a requirements.txt (though very convenient and intuitive to Python folks if we could consume that feature could be discussed in another issue) standard. 

 It doesn't make sense for Pulp to support all of the possible syntaxes in a requirements file (like specifying a local file).  

 h3. Background: 

 At the time of writing, pulp-python only supports a whitelist of project names, but this whitelist should become more granular and flexible. 

 h3. Specifiers [1][2] 

 It would be ideal to support multiple levels of filtering: 
 * project name 
 * Requirements files can also pin version specifiers (including gt, lt, range) 
 * specific python distributions (specified by hash) [3] 

 Allowing users to specify python distributions by hashes [3] will significantly improve 2 of our use cases: 
 * reproducible, deterministic builds 
 * improved security 

 h3. Related Ideas: 

 These ideas are related to the implementation of this story, but if they are accepted, they numbers, so should be filed separately. 
 # Create a whitelist from a requirements.txt  
 # Create a whitelist from a Pipfile (pipenv) 
 # Create a whitelist from a Pipfile.lock (pipenv) 
 # Create a whitelist from a python toml file 

 [3]: considered as well.