Re: can pip be made using local Debian packages for any dependencies

To: Philippe Cerfon <philcerf@gmail.com>
Cc: debian-python@lists.debian.org
Subject: Re: can pip be made using local Debian packages for any dependencies
From: Ian Norton <inorton@gmail.com>
Date: Sun, 12 Feb 2023 08:18:17 +0000
Message-id: <[🔎] CAGUnuBGCqzqR-h5=rtCLD0RNTiVNHP_d+GFjtTDNE05cPCwN7g@mail.gmail.com>
In-reply-to: <[🔎] CAGUnuBGzeH3Uy8Fe6fJvoxsi9yCJXHvLYss4FKR+V+9XTut35Q@mail.gmail.com>
References: <[🔎] CAN+za=M3QvK2eb_OPoxYpCA2_gtejXDMcY0kH+U6s+x_hJomCg@mail.gmail.com> <[🔎] CAGUnuBF1BxOyrx1_GGEOtJONf=j08UgE9T2-juUXQnTp8p-8Mg@mail.gmail.com> <[🔎] CAGUnuBGzeH3Uy8Fe6fJvoxsi9yCJXHvLYss4FKR+V+9XTut35Q@mail.gmail.com>

https://packaging.python.org/en/latest/specifications/recording-installed-packages/
defines the python spec where a package such as pyparsing would create
a tree of files under:
site-packages/pyparsing-3.0.9-dist-info/  including RECORD which is
essentially a sha256-based manifest of files and some others.

On Sun, 12 Feb 2023 at 08:12, Ian Norton <inorton@gmail.com> wrote:
>
> You've made me wonder if it would be feasible to have a debian-centric
> tool that populates .dist-info from debs?
>
> On Sun, 12 Feb 2023 at 08:05, Ian Norton <inorton@gmail.com> wrote:
> >
> > I requested this kind of thing from the pip folks as
> > https://github.com/pypa/pip/issues/11644 and others have requested
> > similar, such as https://github.com/pypa/pip/issues/11607
> >
> > On Sun, 12 Feb 2023 at 04:56, Philippe Cerfon <philcerf@gmail.com> wrote:
> > >
> > > Hey.
> > >
> > > I hope this is not too off topic.
> > >
> > > As far as I understand, dh-python, when building packages somehow
> > > automatically uses the Debian package names and even prevents e.g.
> > > setuptools from downloading any dependencies by setting a (hopefully
> > > not running) proxy.
> > >
> > >
> > > I wondered whether it's possible to make tools like pip and setuptools
> > > directly use the Debian python packages when resolving dependencies.
> > >
> > > The main motivation are security constraints, so I had to configure
> > > pip so that it cannot just download packages from PyPI (which is
> > > rather easy, simply setting no-index in pip.conf).
> > >
> > > But then of course it also fails to e.g. do an editable install of a
> > > locally developed package, when it tries to resolve the dependencies.
> > >
> > > So I wondered whether it's possible to prevent pip from downloading
> > > any remote stuff, while still resolving dependencies (respectively
> > > consider them as being resolved) *if* the package is locally installed
> > > from the Debian archive?
> > > (If a dependency isn't installed from a package it may of course fail.)
> > >
> > >
> > > Thanks,
> > > Philippe.
> > >
> > > PS: Please keep me CCed.
> > >

Reply to:

Follow-Ups:
- Re: can pip be made using local Debian packages for any dependencies
  - From: Ian Norton <inorton@gmail.com>
- Re: can pip be made using local Debian packages for any dependencies
  - From: "Donald Stufft" <donald@stufft.io>

References:
- can pip be made using local Debian packages for any dependencies
  - From: Philippe Cerfon <philcerf@gmail.com>
- Re: can pip be made using local Debian packages for any dependencies
  - From: Ian Norton <inorton@gmail.com>
- Re: can pip be made using local Debian packages for any dependencies
  - From: Ian Norton <inorton@gmail.com>

Prev by Date: Re: can pip be made using local Debian packages for any dependencies
Next by Date: Re: can pip be made using local Debian packages for any dependencies
Previous by thread: Re: can pip be made using local Debian packages for any dependencies
Next by thread: Re: can pip be made using local Debian packages for any dependencies
Index(es):
- Date
- Thread