Add allowlist/blocklist for packages to be permitted

[wqh17101]

What's the problem this feature will solve?

As some packages have some problems like GPL license or bugs, i want to find a way to forbid user in my environment install them by pip.

Describe the solution you'd like

we can add a new section in pip.conf like

[filter]
whitelist=vbbb<2
blacklist=xxx==1.1.0

then when users in my environment to use pip install xxx==1.1.0, they will get a msg like "xxx is not available for the whitelist"

Alternative Solutions

Right now , i only find that building my own pypi can work on it. But i need a lot of space to save the packages.

Additional context

In my opinion, it is efficient for us to limit on pip by a config. Just check and reject it if configured. It is a very elegant and simple way.

What i want is not building my own PYPI that will cause other problems like when to update,more space to save packages.

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[pfmoore]

You can use a proxying index (something like simpleindex would probably work for this) to serve only the packages you want to make visible without storing the actual packages locally.

Alternatively, you could probably use a constraints file, something like

vbbb<2
xxx!=1.1.0

This should work almost exactly the same as your whitelist/blacklist idea, and uses existing pip features.

[wqh17101]

Any turtorial for both two ways?

[pfmoore]

For constraints files, https://pip.pypa.io/en/stable/user_guide/#constraints-files
For simpleindex, read the package documentation.

[wqh17101]

For constraints files,can you offer an example?
For simpleindex, can you offer a link to the package documentation. Maybe the pypiserver you mean ? That will need to set up a local repo for packages.

[pfmoore]

Sorry, no. The information I gave is all I have. You'll need to do some research yourself.

[notatallshaw]

A constraints file let's you implement a deny list and to some extent an allow list. Tou deny certain versions of a package with xxx!=1.1.0 and you can allow only certain versions with vbbb<2.

Maybe you can completely deny any version of a package with some syntax? e.g. abc!=* or abc<0 I've not tested it though and don't know it it works.

Here's a very simple introduction to constraints files: https://luminousmen.medium.com/pip-constraints-files-b684992705b6

[wqh17101]

From my test,
requirements is :

numpy==1.22.0

constraint is

1. numpy==1.22.* it works
2. numpy==1.*.0 it conflicts

Why?

[pradyunsg]

You can't have * in a middle segment, only the ending. See PEP 440 for the details.

[pradyunsg]

Closing this out, since the "correct" answer here is doing this package blocking on the index server side of things.