我的Python项目在很大程度上取决于PYPI软件包。
我想确保:将来的任何时间:我的应用所需的包装将始终在PYPI上在线提供。
例如: -
我在GitHub上找到了一个需要Pyqt4的项目。
当我尝试在Linux机器上运行它时,
它在启动上崩溃了,因为它在PYPI上找不到PYQT4软件包。
nb:我知道pyqt4已弃用
我搜索了很多东西,以找到仍然包含PYQT4软件包的PYPI的档案,但是我找不到任何地方
。
我只更改了与UI相关的代码(IE:PYQT4)。
其他功能仍在工作。
因此,该应用程序的唯一问题是从PYPI中删除了PYQT4软件包。
so, my question is: should I save a backup of the PyPi packages I use ?
My Python projects heavily depends on PyPi packages.
I want to make sure that: in any time in the future: the packages required by my apps will always be available online on PyPi.
For example:-
I found a project on Github that requires PyQt4.
when I tried to run it on my Linux machine,
it crashed on startup because it can't find PyQt4 package on PyPi.
NB: I know that PyQt4 is deprecated
I searched a lot to find an archive for PyPi that still holds PyQt4 package, but I couldn't find them anywhere.
so I had to rewrite that app to make it work on PyQt5.
I only changed the code related to the UI (ie: PyQt4).
other functions were still working.
so the only problem with that app was that PyQt4 package was removed from PyPi.
so, my question is: should I save a backup of the PyPi packages I use ?
发布评论
评论(3)
简短版本:
是的,如果您想要可用性...下一个大问题是 如何最好地保留依赖关系的备份版本?这个答案结束时有一些建议。
长版本:
您的问题涉及“可用性”的概念,这是信息保证(或信息安全性)的三个支柱之一。其他两个支柱是机密和诚信……中央情报局三合会。
PYPI软件包由这些软件包的所有者维护,该项目取决于软件包并将其列出为依赖项,必须考虑到包装所有者将包裹或包装版本从PYPI中拉出PYPI的可能性任何时刻。
具有许多依赖关系的重要python软件包通常由基础或组织负责处理下游依赖的软件包和项目的组织。但是,保持对旧软件包的支持非常昂贵,需要额外的努力,并且通常维护者设定了支持的日期,或者发布包裹生命周期的日期,他们在其中声明何时将从公共PYPI服务器中删除特定版本。
一旦发生这种情况,受抚养人就必须更新其代码(就像您一样),或者通过替代方式提供原始依赖性。
对于在图书馆,大学,实验室,公司和政府机构中,软件工具可能对其他软件包(或生态系统)以及应充分解决“可用性”的地方,该主题非常重要。
解决这种风险可能意味着从确保不惜一切代价的高可用性到失去一个或多个依赖性的风险的任何事情……应使用风险管理方法来做出影响您项目“安全”的明智选择。
还应注意的是,有些软件包需要二进制可执行文件或二进制库或访问在线API服务,该服务也应该可以让该软件包正常工作,这使风险分析变得复杂并使解决可用性所需的活动变得复杂。
现在以确保依赖关系始终可用...我迅速编制了以下列表。请注意,每个选项都有利弊。您应该根据您的需求评估这些和其他选项:
Short version:
YES, if you want availability... The next big question is how best to keep a backup version of the dependencies? There are some suggestions at the end of this answer.
Long version:
Your question touches on the concept of "Availability" which is one of the three pillars of Information Assurance (or Information Security). The other two pillars are Confidentiality and Integrity... The CIA triad.
PyPI packages are maintained by the owners of those packages, a project that depends on a package and list it as a dependency must take into account the possibility that the owner of the package will pull the package or a version of the package out of PyPI at any moment.
Important Python packages with many dependencies usually are maintained by foundations or organizations that are more responsible with dealing with downstream dependent packages and projects. However keeping support for old packages is very costly and requires extra effort and usually maintainers set a date for end of support, or publish a package lifecycle where they state when a specific version will be removed from the public PyPI server.
Once that happens, the dependents have to update their code (as you did), or provide the original dependency via alternative means.
This topic is very important for procurement in libraries, universities, laboratories, companies, and government agencies where a software tool might have dependencies on other software packages (or ecosystem), and where "availability" should be addressed adequately.
Addressing this risk might mean anything from ensuring high availability at all costs, to living with the risk of losing one or more dependencies... A risk management approach should be used to make informed choices affecting the "security" of your project.
Also it should be noted that, some packages require binary executable or binary libraries or access to a an online API service, which should also be available for the package to work properly, and that complicates the risk analysis and complicates the activities necessary to address availability.
Now to make sure that dependencies are always available... I quickly compiled the following list. Note that each option has pros and cons. You should evaluate these and other options based on your needs:
鉴于包装文件可在PYPI上可用,您可以使用
pip下载*。whl为特定操作系统编译的文件:或源分发文件
** 。
或者,如果包装文件在PYPI上不是直接可用的,而是在某些档案中可用的,那么
pyqt4,您可以手动下载这些文件。一旦您拥有软件包文件(
*。whlbinaries或*。tar.gz),您应该能够在没有任何Internet连接的情况下安装它们作者:但是,如果您决定将软件包文件备份到网络存储位置,例如Google Drive,则需要一个Internet连接,因为在这种情况下,
pip需要从URL检索文件然后通过以下方式安装软件包:Given that the package files are available on PyPI, you can use
pipto download the*.whlfiles compiled for specific OS via:or the source distribution files
*.tar.gzvia:Both should download the package files for all the available platforms when you specify
:all:.Alternatively, if the package files are not directly available on PyPI but on some archive as is the case for
PyQt4, you can manually download those files.Once you have the package files (either
*.whlbinaries or*.tar.gz), you should be able to install them without any internet connection from your local package files by:However, if you decide to backup your package files to a network storage location e.g. Google drive, you'd need an internet connection, since in this case,
pipneeds to retrieve the files from the URL and then install the package via:我使用
nexus存储库管理器OSS: https:///help.sonatype。 com/en/download.html您可以直接从Docker Image中直接设置PYPI并托管自己的PYPI内部图像。
您将获得本地
pip install的加速和好处,您使用全局变量和PIP参数来设置它:
创建并使用Nexus和Nexus
和 Nexus and and and and and and and and and and and and and and and和Nexus可以提供许多其他图像:Docker,Nuget,Gems,Maven等。因此,您可以拥有它。 restapi为一切。
I use
Nexus Repository Manager OSS: https://help.sonatype.com/en/download.htmlYou can proxy pypi and host your own pypi internal images, can be set up directly from a docker image.
And you get the speedup and benefit of local
pip installYou use global variables and pip parameters to set it up:
Create and use a PyPi proxy repository on nexus
And Nexus can serve lots of other images: Docker, Nuget, Gems, Maven etc. So you have it one place. Restapi for everything.