bandersnatch icon indicating copy to clipboard operation
bandersnatch copied to clipboard

Published 20 hours ago verified publisher icon pypa

Is there any way to get index only without downloading packages

Open wqh17101 opened this issue 3 years ago • 6 comments

Hi there, I want to block some packages,but i don`t have enough space to save packages. Is there any way to get index from pypi without download packages. I want to set the conf like this image

wqh17101 avatar Jan 14 '22 07:01 wqh17101

Hi, Do you mean you want to make the index html pages only and not download the binary blobs? Or do you mean you just want to limit the versions for a package like your example - i.e. for example2 only download versions specified there?

You should just need:

[plugins]
enabled =
    allowlist_release

[allowlist]
packages =
    example1  # <-- Download all the versions for example1
    example2>=1.4.2,<1.9,!=1.5.*,!=1.6.*  # <-- Download on specific versions

I do believe the index.html generate will have all versions tho, I don't remember if the plugin is smart enough to filter there.

cooperlees avatar Jan 14 '22 22:01 cooperlees

I mean the first one , make the index html pages only and not download the binary blobs.

wqh17101 avatar Jan 17 '22 00:01 wqh17101

This ability (html only) does not exist. I’d take a CLI switch or config option PR adding it tho.

Just out of curiosity - why do you only want HTML? What you going to do with it?

cooperlees avatar Jan 17 '22 22:01 cooperlees

@cooperlees Think of this scene, there are many packages on the Pypi, maybe some of them is broken,maybe some of them have vulnerabilities,or maybe some of them have a bussiness-unfriendly license——GPL. So , i want to build a private index for my whitelist packages only to limit my users installing packages. So, what i only need is a whitelist index without downloading packages from pypi. Only provide the index i limit for the users can block them install wrong packages easily

wqh17101 avatar Jan 18 '22 02:01 wqh17101

I'm confused, bandersnatch's goal is producing a PEP 503 valid index / mirror (web server not included) so I don't see how having the just the index pages would achieve your goal of requiring packages to be allowlisted before use as pip would just fail to the use the mirror generated by bandersnatch. Are you going to proxy / redirect the eventual distribution GET requests to PyPI or some other host?

You might be better served using something like a corporate setup of devpi which has native pass through to PyPI acting as a middle man allowing you to set allow/block lists.

ichard26 avatar Jan 18 '22 03:01 ichard26

image can this conf achieve my goal? My aim is to block pip request by whitelist and do not download all the packages. when users request devpi will download the packages, that is why i don't use it

wqh17101 avatar Jan 18 '22 06:01 wqh17101