This plugin adds a constrained index to devpi-server. The constrained index is read-only and filters releases from its bases similar to Constraints Files in pip.
devpi-constrained needs to be installed alongside devpi-server to enable constrained indexes.
You can install it with:
pip install devpi-constrained
There is no configuration needed as devpi-server will automatically discover the plugin through calling hooks using the setuptools entry points mechanism.
It is often useful to filter Python packages available for installation. For example:
- Filter package versions with known security issues
- Provide a "Known Good Set" of packages which have been tested
- Prevent installation of packages with incompatible licenses
- Only allowing vetted packages
- Block package versions with breaking changes
With devpi-constrained it is possible to provide a package index which enables all of the above and more.
Create a constrained index with root/pypi as base:
$ devpi index -c prod/devpi type=constrained bases=root/pypi https://example.com/prod/devpi: type=constrained bases=root/pypi volatile=True acl_upload=root acl_toxresult_upload=:ANONYMOUS: constraints= mirror_whitelist= $ devpi use prod/devpi
With no constraints set, all releases are available from root/pypi.
Lets add a constraint for pip:
$ devpi index constraints+="pip==6.0" /prod/devpi constraints+=pip==6.0 https://example.com/prod/devpi?no_projects=: type=constrained bases=root/pypi volatile=True acl_upload=root acl_toxresult_upload=:ANONYMOUS: constraints=pip==6.0 mirror_whitelist=
Now only pip 6.0 will be listed when looking for releases of pip:
$ devpi list --all pip http://localhost:3141/root/pypi/+f/610/3897f1bb68d3f/pip-6.0.tar.gz http://localhost:3141/root/pypi/+f/5ec/6732505bd8be4/pip-6.0-py2.py3-none-any.whl
All other packages are still unconstrained.
To block everything else we add the * constraint:
$ devpi index constraints+="*" /prod/devpi constraints+=* https://example.com/prod/devpi?no_projects=: type=constrained bases=root/pypi volatile=True acl_upload=root acl_toxresult_upload=:ANONYMOUS: constraints=pip==6.0,* mirror_whitelist=
This is the difference to pip constraints, where this isn't possible.
$ devpi list --all devpi-server GET https://example.com/prod/devpi/devpi-server/ 404 Not Found: no project 'devpi-server'
The constraints option can be set in bulk from a file.
Create a file constraints.txt with each constraint in one line:
pip<8,>4 # a comment devpi-server>=4
Set the constraints option on your index from the file:
$ devpi index constraints="$(cat constraints.txt)"
Support for legacy (non PEP440) versions is limited.
When the constraint contains any filtering on the version, then no legacy version will pass.
Technically legacy versions sort before any PEP440 compliant version,
but the packaging library doesn't expose the operator publicly in an easily usable way,
so this compromise was chosen to not have to deal with possibly changing internals.