Python packages

How to get started with private PyPI firewalls and registries

Build, manage and secure Python projects and artifacts with Bytesafe. Bytesafe has full support for the Python ecosystem with private Python (PyPI) firewalls and registries for your packages and dependencies.

Users interact with Bytesafe using their regular tools, such as pip for installing and twine for uploading.

Bytesafe offers unlimited registries. You can create as many as you need for your every use-case. Deploy your internal Python artifacts required by team members and CI/CD systems, and upload any artifacts from any public Python package index.

Did you know you can get copy-paste ready instructions directly in Bytesafe?

Contextual according to the registry. Login to Bytesafe and select More Info for the registry of your choice.

python-registry-info

Configure pip to access Bytesafe

Bytesafe PyPI firewalls/registries can be accessed using either the clients pip for installing or twine for uploading. A valid access token is required. For more information about creating access tokens, see Manage access tokens.

Specify a default PyPI firewall or registry

To remove the need of explicitly stating what registry should be used for each request, you can add the configuration to your pip configuration file.

To configure pip, edit the file ~/.config/pip/pip.conf or $VIRTUAL_ENV/pip.conf (%HOME%\pip\pip.ini on Windows):

[global]

index-url = https://bytesafe:{TOKEN}@{WORKSPACE}.bytesafe.dev/python/{REGISTRY}/

Example

[global]

index-url = https://bytesafe:01GHXMJP5PXQZAE7CY8ZAB8GBZ@example.bytesafe.dev/python/pypi-firewall/

Install a Python package using pip

To install Python packages using pip, see the example below. The syntax below assumes you have added user, token and firewall/registry in your pip configuration file:

$ pip install {PACKAGE}

If you have previously installed a package you may want to force pip to avoid using the cache. You do this by using the --no-cache-dir argument to make sure packages are downloaded from Bytesafe instead of using the local cache.

Publish a Python package using twine

To publish (upload) packages using Twine you need to edit the ~/.pypirc (%HOME%\.pypirc) file.

[distutils]

index-servers =

{REGISTRY}

[{REGISTRY}]

repository = https://{WORKSPACE}.bytesafe.dev/python/{REGISTRY}/

username = bytesafe

password = {TOKEN}

Example

[distutils]

index-servers =

pypi-firewall

[pypi-firewall]

repository = https://example.bytesafe.dev/python/pypi-firewall/

username = bytesafe

password = {TOKEN}

You can then publish (a built package) with:

$ python3 -m twine upload --repository pypi-firewall dist/*

Proxy pypi.org as an upstream

Proxy any public Python package index with Bytesafe by adding the public Python Package Index as an upstream for a registry. This configuration is enabled for the default registry created when first entering a new workspace.

To add an upstream manually go to the upstreams tab for a registry and click Add upstream button.

In the sidebar, select the public registry, PyPI - https://pypi.org/simple in the drop-down list or add any other Python Package Index.

add-registry-upstream

No additional information is required to pull packages from the public registry.

Users that also want to publish packages to the public registry are required to provide their authentication token.

Actions related to enabled plugins (like vulnerability scanning and license compliance checks) are performed before package versions enter a registry.


Example: Upstream configuration where Bytesafe proxy the public Python Package Index.

flowchart TD
  A(fab:fa-python pypi.org) <--> | pull / push | B{Bytesafe registry} <--> | install / publish | C[fa:fa-user User / Project]
  • Users interact with Bytesafe registry (e.g. pip or twine).
  • Bytesafe handles the interaction with pypi.org
  • Requests for package versions that are not available in Bytesafe registry, will be requested from pypi.org and the package version downloaded will be cached in Bytesafe.

Alternative configuration

Authentication

Instead of adding the user and token to the pip.config (pip.ini) file as described above, another alternative is to add the access token in the ~/.netrc file (%HOME%\_netrc on Windows).

machine {WORKSPACE}.bytesafe.dev

login bytesafe

password {TOKEN}

Installing from a specific firewall/registry

If you have not defined a default firewall or registry, you need to specify that when installing packages as in the example below:

$ pip install -i "https://{WORKSPACE}.bytesafe.dev/python/{REGISTRY}/" {PACKAGE}