PMXBOT Log file Viewer

Help | Karma | Search:

#pypa logs for Monday the 12th of October, 2020

(Back to #pypa overview) (Back to channel listing) (Animate logs)
[08:57:20] <mgedmin> how come twine isn't saving my password in the keyring? pipx runpip twine list shows that they 'keyring' package is installed in twine's virtualenv
[08:58:54] <mgedmin> oooh I need to manually do keyring set upload.pypi.org/legacy $myusername
[09:56:45] <famubu> For setting up a project's dev environment (with setuptools) would it be better to just place the development dependencies inside a requirements.txt file or would setting things up so that `pip3 install package[dev]` would install it, a better choice?
[09:59:13] <mgedmin> a matter of taste, really
[09:59:38] <mgedmin> I like defining a 'test' extra so my tox.ini can just say extras = test
[10:00:09] <mgedmin> I don't normally have a 'dev' extra; all my dev tools tend to be installed globally with pipx
[10:06:44] <famubu> Cool. Just wanted to know how it was usually done :-)
[10:07:06] <famubu> so far I haven't done anything other than the requirements.txt method.
[16:02:41] <toad_polo> cooperlees (or anyone who knows): Is there a supported mechanism in bandersnatch for modifying the contents of the local cache? For the purposes of, e.g. applying patches or whatever?
[16:03:48] <cooperlees> Got an example? There is no api to modify binaries etc. If that what you mean
[16:03:56] <cooperlees> It’s designed to try maintain integrity today
[16:04:06] <cooperlees> And I am sure TUF will further harden that
[16:04:09] <toad_polo> I don't actually want to do this, but I'm giving a talk about this sort of thing, and my examples are all linux distros and corporate deployment systems. For people who basically use PyPI as their deployment system I'm not sure if I should be saying that it's possible.
[16:04:38] <cooperlees> Well, source code is there - anything is possible technically
[16:04:46] <cooperlees> It out of the box, no ..
[16:04:58] <toad_polo> cooperlees: For people who need (or more likely want) to apply patches before deploying to production.
[16:06:43] <toad_polo> OK, so if you have a production pipeline that pulls straight from a PyPI mirror and installs into production environments, you would probably do something more like PyPI β†’ `bandersnatch` β†’ `devpi` β†’ prod.
[16:07:11] <cooperlees> Yeah
[16:07:21] <cooperlees> Dev pi is more about running your own indexes
[16:07:57] <toad_polo> Where `bandersnatch` is essentially a pre-warmed cache, and `devpi` is for uploading your own packages and, presumably, the place where you'd upload modified versions of upstream packages.
[16:08:28] <toad_polo> And obviously `bandersnatch` doesn't need to be there if you have a whitelist from PyPI that you actively curate.
[16:41:22] <cooperlees> toad_polo: Also, devpi, last I look can be the cache, negating the need for bandersnatch all together
[16:41:27] <cooperlees> *looked
[16:41:35] <cooperlees> (Been years tho)
[17:11:50] <toad_polo> cooperlees: I got the impression that devpi would mirror packages for you locally when you download them, but not that it actively mirrors PyPI. Is that basically the same mode of operation as bandersnatch?
[17:13:40] <cooperlees> Yes, it's only caches what you fetch where bandersnatch just goes and grabs the world or what your filter rules state to get
[22:48:49] <toad_polo> Hm. When I use `pip download --no-deps --no-binary :all: attrs`, the command fails because `setuptools` was not found.
[22:49:16] <toad_polo> When I do `pip download --no-deps attrs` it succeeds.
[22:49:56] <toad_polo> Ah, it's this: github.com/pypa/pip/issues/7995