pypiprivate
is a command line tool for hosting a private
PyPI-like package index or in other words, a manual python
repository backed
by a file based storage.
It's implemented in a way that the storage backends are pluggable. At present, only AWS S3 and local file system are supported but more implementations can be added in future.
The backend can be protected behind a HTTP reverse proxy (eg. Nginx) to allow secure private access to the packages.
Update: We have published a blog post that explains the usage, approach and rationale in detail - Private Python Package Index with Zero Hassle.
At present pypiprivate
comes with only one command to publish a
package (more utilities for package search and discoverability are
coming soon).
A publish operation involves,
- Copying all the available package artifacts for a specific version
under the
./dist
directory to the storage backend - Creating the index on the same storage backend
The file structure created on the backend conforms to the "Simple Repository API" specification defined in PEP 503.
The files can now be served securely by a webserver eg. by setting up a Nginx reverse proxy.
It's important to note that although the name of the project is
pypiprivate
, it's upto you to ensure that the access to both,
the storage and the index is really private. If you are using S3 and
Nginx, for example, then
- package authors/owners will need read-write S3 creds to publish packages
- nginx will authenticate with S3 using read-only S3 creds and protect the files via HTTP Basic authentication
- package users will need HTTP Auth creds to install the packages using pip
pypi-private
can be installed using pip as follows,
$ pip install pypiprivate
After installation, a script pypi-private
which will be available
at PATH
.
You may choose to install it in a virtualenv, but it's recommended to
install it globally for all users (using sudo
) so that it's less
confusing to build and publish projects that need to use their own
virtualenvs.
pypiprivate
requires it's own config file, the default location
for which is ~/.pypi-private.cfg
. This repo contains the example
config file example.pypi-private.cfg
, which can be simply copied
to the home directory and renamed to .pypi-private.cfg
.
For aws-s3
type of storage backend, two environment variables
PP_S3_ACCESS_KEY
and PP_S3_SECRET_KEY
are required to be set
besides the config. In case you are using a session token, you can
set it via PP_S3_SESSION_TOKEN
.The advantage of excluding s3
credentials in config file are that (1) they are not stored in
plain text and, (2) it's easier to switch between read-only/read-write keys
First create the builds,
$ python setup.py sdist bdist_wheel
Then to publish the built artifacts run,
$ pypi-private -v publish <pkg-name> <pkg-version>
For other options, run
$ pypi-private -h
Run pip with the --extra-index-url
option,
$ pip install mypackage --extra-index-url=https://<user>:<password>@my.private.pypi.com/simple
Or, add the extra-index-url
to pip config file at
~/.pip/pip.conf
as follows
[install] extra-index-url = https://<user>:<password>@my.private.pypi.com/simple
And then simply run,
$ pip install mypackage
MIT (See LICENSE)