I want to stand up a mirror to proxy/cache the python packages my team is using behind our corporate firewall. A scale challenge we're having is that when Bob wants to use package X, we need to validate that all of package X's dependencies are published under one of a finite set of compliant OSS licenses. Any recommendations how to be more automated about this? Is this a feature of devpi that I just haven't stumbled upon yet? Is there a best practice for implementing this at a step prior to injection into the index? Any pointers/tips/recommendations welcome. Thanks, Andrew
Hi! It might be possible to implement this as a plugin using the existing hooks, but it's definitely not trivial. You might also want to look at: https://dependencyci.com Regards, Florian Schulze On 11 Aug 2016, at 22:01, Andrew Rothstein wrote:
I want to stand up a mirror to proxy/cache the python packages my team is using behind our corporate firewall. A scale challenge we're having is that when Bob wants to use package X, we need to validate that all of package X's dependencies are published under one of a finite set of compliant OSS licenses. Any recommendations how to be more automated about this? Is this a feature of devpi that I just haven't stumbled upon yet? Is there a best practice for implementing this at a step prior to injection into the index? Any pointers/tips/recommendations welcome.
Thanks, Andrew
-- You received this message because you are subscribed to the Google Groups "devpi-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to devpi-dev+...@googlegroups.com. To post to this group, send email to devp...@googlegroups.com. Visit this group at https://groups.google.com/group/devpi-dev. For more options, visit https://groups.google.com/d/optout.
Hi Andrew,
we have the following process to establish license compliance internally:
· We have a repository with a requirements.txt that lists whitelisted open source packages (including version numbers)
· When a user wants to use a new open source package or a new version of an already whitelisted package, he creates a pull request for that repo.
· If the reviewer considers that the license is OK, we merge the pull request and then use devpi-builder to automatically upload the whitelisted packages to an OSSWhitelist user/index (see https://github.com/blue-yonder/devpi-builder). The review is a manual process, as it is quite common that the package metadata is inaccurate. However, in practice it only takes about a minute, so the overhead is small.
· We ensure that nobody can use an index inheriting from root/pypi from the production network
This process is not bullet-proof, but works pretty well for us. Here is a talk where I provide some further details of our setup: https://www.youtube.com/watch?v=re7dtwYy5sc
Best regards,
Stephan
From:
participants (3)
-
Andrew Rothstein
-
Erb, Stephan
-
Florian Schulze