Story #2041

Updated by over 3 years ago

This story `requirements.txt` is to use the syntax from python requirements[0] files standard way to specify which packages should list pip installable requirements, it would be synced. This story does NOT include directly uploading a requirements.txt (though very convenient and intuitive to Python folks if we could consume that feature could be discussed in another issue) standard.

It doesn't make sense for Pulp to support all of the possible syntaxes in a requirements file (like specifying a local file).

h3. Background:

At the time of writing, pulp-python only supports a whitelist of project names, but this whitelist should become more granular and flexible.

h3. Specifiers [1][2]

It would be ideal to support multiple levels of filtering:
* project name
Requirements files can also pin version specifiers (including gt, lt, range)
* specific python distributions (specified by hash) [3]

Allowing users to specify python distributions by hashes [3] will significantly improve 2 of our use cases:
* reproducible, deterministic builds
* improved security

h3. Related Ideas:

These ideas are related to the implementation of this story, but if they are accepted, they
numbers, so should be filed separately.
# Create a whitelist from a requirements.txt
# Create a whitelist from a Pipfile (pipenv)
# Create a whitelist from a Pipfile.lock (pipenv)
# Create a whitelist from a python toml file

considered as well.