Story #2041
Updated by amacdona@redhat.com over 6 years ago
This story `requirements.txt` is to use the syntax from python requirements[0] files standard way to specify which packages should list pip installable requirements, it would be synced. This story does NOT include directly uploading a requirements.txt (though very convenient and intuitive to Python folks if we could consume that feature could be discussed in another issue) standard. Note: It doesn't make sense for Pulp to support all of the possible syntaxes in a requirements file (like specifying a local file). h3. Background: At the time of writing, pulp-python only supports a whitelist of project names, but this whitelist should become more granular and flexible. h3. Specifiers [1][2] It would be ideal to support multiple levels of filtering: * project name * Requirements files can also pin version specifiers (including gt, lt, range) * specific python distributions (specified by hash) [3] Allowing users to specify python distributions by hashes [3] will significantly improve 2 of our use cases: * reproducible, deterministic builds * improved security h3. Related Ideas: These ideas are related to the implementation of this story, but if they are accepted, they numbers, so https://pulp.plan.io/issues/138 should be filed separately. # Create a whitelist from a requirements.txt # Create a whitelist from a Pipfile (pipenv) # Create a whitelist from a Pipfile.lock (pipenv) # Create a whitelist from a python toml file [0]: https://pip.pypa.io/en/stable/user_guide/#requirements-files [1]: https://www.python.org/dev/peps/pep-0440/ [2]: https://www.python.org/dev/peps/pep-0508/ [3]: https://pip-python3.readthedocs.io/en/latest/reference/pip_install.html#hash-checking-mode considered as well.
.