Some ideas… I’m thinking this requires two PEPs:
- A common tools config
- A package index config standard
A common tools config (PEP #1)
How about we could use a file in one or more of these locations:
-
/etc/python3/tools.toml
- “system” settings (on Windows, maybe under %APPDATA%
?)
-
$HOME/.config/python/tools.toml
- “user” settings
-
$SCM_PROJECT/.python/tools.toml
- “project” settings
- environment variable
PYTHON_TOOLS_CONFIG=/path/to/tools.toml
?
We could then define a supersedence schema where “project” overrides “user” and “user” overrides “system”. And if we think we want the environment variable, that would be overriding “project”.
All of these tools.toml
files could have the ability to handle differentiation on a per-interpreter version. I guess this would be delegated to each tool.
Thoughts
- The above caters not only for package indexes and could be used by any tool.
- I’m not super fond of the file naming above (e.g. “tools.toml”)… but I figured this could get the discussion going.
- All of the above means we are not using any existing config file/format, such as the
.pypirc
from packaging.
- Can a Python package on PyPI be developed which parse these files and return the final config? Or should something be included in the standard library here, to help the tools fetch the config?
The structure of this tools.toml
needs to primarily dictate how we separate the different tools’ configs. Perhaps something like:
[sometool]
[sometool.server1]
ip = "10.0.0.1"
dc = "eqdc10"
[sometool.server2]
ip = "10.0.0.2"
dc = "eqdc10"
Here we’d have to reserve a tool name for “internal” or “pep-defined” tools, so to avoid having a community PyPI package trying to claim the internal one.
Package index config (PEP #2)
Ideas
I think this one is a bit more difficult, and here we need to get a lot of input from the community on what the different tools needs are like.
I believe, at least with pip, you can define as many --extra-index-url
s as possible.
At work, we develop a couple of packages which have names that today have no equivalent on PyPI.org. We want to make really sure that the package indexes are not set up in such a way that we by mistake start downloading/installing a package from PyPI with the same name, if one such package is created on PyPI.
So in this case, I would put such internal repos first in the priority order. But then comes the caveat of having to deal with timeouts or 404 errors for the tools, when they try to download all packages from that repo first…
Maybe, it could be worth giving this further thinking, whether there should be an order of priority in which the indexes will be used.
One idea is also to require clear-text passwords to be entered as base64-encoded strings?
Existing config files
.pypirc
This is what the $HOME/.pypirc
today can look like, according to packaging:
[distutils]
index-servers =
pypi
testpypi
private-repository
[pypi]
username = __token__
password = <PyPI token>
[testpypi]
username = __token__
password = <TestPyPI token>
[private-repository]
repository = <private-repository URL>
username = <private-repository username>
password = <private-repository password>
Keyring can be used to then save API tokens and passwords securely:
keyring set https://upload.pypi.org/legacy/ __token__
keyring set https://test.pypi.org/legacy/ __token__
keyring set <private-repository URL> <private-repository username>
Twine
Twine can read the .pypirc
file, either in your home directory, or provided with the --config-file option. It also has Keyring support.
Poetry
Poetry has two configuration files:
-
~/.config/pypoetry/config.toml
- all poetry configuration, including package indexes
-
~/.config/pypoetry/auth.html
- clear-text credentials, unless keyring is used
Private repositories can be set up in the config.toml
:
[repositories]
[repositories.myrepo1]
url = "https://foo.bar/simple"
Any custom repository will have precedence over PyPI by default, but this can be changed on a per-repository level.
And the clear text credentials are stored in the auth.toml
:
[http-basic]
[http-basic.myrepo1]
username = "foo"
password = "bar"
According to the Poetry docs on repository management, you can add certificates, define which repo is the primary or secondary. You can also disable the use of PyPI.org.
What should this “PEP #2” cover?
When looking at the .pypirc
and Poetry, it seems to me that whatever we decide on here needs to be handshaked with a lot of popular tools for them to really want to adopt a pre-defined set of configuration settings.
I have a feeling that over time, this PEP will need to be updated, to add certain settings which will be needed by the tools. I am not familiar enough with this, but can a PEP be updated down the road?
But just by looking at the above, I guess we should try to fit the following into the spec:
- Custom package index (equivalent of
--extra-index-url
)
- Priority order
- Take precedence over PyPI.org (true/false)
- Certificates (values should be filepaths)
- Proxy server?
- Credentials
- Clear text username
- Base64-encoded password
- Token instead of username/password
- Keyring
- Filepath to another .toml file which will hold the credentials data