Hi, quick question: If I want to whitelist everything but a few packages, is that possible with devpi indexes and if so what is the syntax? E.g. i'd expect: `mirror_whitelist=['*', '!somepack', '!mypackage']` would whitelist things like `pip` and `setuptools` but not the two explicitly forbidden packages named somepack and mypackage. Cheers and thx, Christoph
We have an internal package that unfortunately has the same name as one on pypi. Generally, we want our index to install packages from pypi, except for the one with the name collision. The colliding package should be save from higher version "attacks" (it's not really an attack since the one on pypi is not malicious).
First, thank you for the answer, Florian, and your time. Occasionally we also replace specific releases from pypi with ones we build ourselves. Mostly to prevent buggy releases that have not been fixed on pypi to be installed. We would typically merge a bugfix that was not yet applied by the maintainers or fix it ourself, then build the package and upload it. Say the buggy version is 1.2, we replace it by our version 1.2 on our index. Then later along the line, when 1.3 is uploaded to pypi, we want our index to installed the now officially fixed version 1.3 from pypi. I might be mistaking, but an empty whitelist would prevent that, correct? In that case our fixed version 1.2 would always be installe, even though pypi had a version 1.3. Is there a solution for that? Cheers, Christoph
On 19 Sep 2019, at 13:41, con-f-use@gmx.net wrote:
In that case you would add the package with the fix to the mirror_whitelist. To make this simpler I would create two indexes. The first has root/pypi in bases and mirror_whitelist="*". It's the one where you upload fixed packages. The second inherits only from the first and contains all private packages with empty mirror_whitelist. That way you can upload fixed versions or additional wheels etc to the first index and by using the second index as your install base, any private package is automatically safe. This setup also prevents accidents because of mistakes while updating mirror_whitelist. Regards, Florian Schulze
We have an internal package that unfortunately has the same name as one on pypi. Generally, we want our index to install packages from pypi, except for the one with the name collision. The colliding package should be save from higher version "attacks" (it's not really an attack since the one on pypi is not malicious).
First, thank you for the answer, Florian, and your time. Occasionally we also replace specific releases from pypi with ones we build ourselves. Mostly to prevent buggy releases that have not been fixed on pypi to be installed. We would typically merge a bugfix that was not yet applied by the maintainers or fix it ourself, then build the package and upload it. Say the buggy version is 1.2, we replace it by our version 1.2 on our index. Then later along the line, when 1.3 is uploaded to pypi, we want our index to installed the now officially fixed version 1.3 from pypi. I might be mistaking, but an empty whitelist would prevent that, correct? In that case our fixed version 1.2 would always be installe, even though pypi had a version 1.3. Is there a solution for that? Cheers, Christoph
On 19 Sep 2019, at 13:41, con-f-use@gmx.net wrote:
In that case you would add the package with the fix to the mirror_whitelist. To make this simpler I would create two indexes. The first has root/pypi in bases and mirror_whitelist="*". It's the one where you upload fixed packages. The second inherits only from the first and contains all private packages with empty mirror_whitelist. That way you can upload fixed versions or additional wheels etc to the first index and by using the second index as your install base, any private package is automatically safe. This setup also prevents accidents because of mistakes while updating mirror_whitelist. Regards, Florian Schulze
participants (2)
-
con-f-use@gmx.net -
Florian Schulze