Python Repository
Cloudsmith provides public & private repositories for Python packages
Python is an awesome general-purpose programming language (we use it!). Cloudsmith is proud to support fully-featured registries for managing your own public and private python packages.
For more information on Python, please see:
The examples in this document are generic. Cloudsmith provides contextual setup instructions within each repository, complete with copy n' paste snippets (with your namespace/repo pre-configured).
In the following examples:
| Identifier | Description |
|---|---|
| OWNER | Your Cloudsmith account name or organization name (namespace) |
| REPOSITORY | Your Cloudsmith Repository name (also called "slug") |
| TOKEN | Your Cloudsmith Entitlement Token (see Entitlements for more details) |
| USERNAME | Your Cloudsmith username |
| PASSWORD | Your Cloudsmith password |
| API-KEY | Your Cloudsmith API Key |
| PACKAGE_NAME | The name of your package |
| PACKAGE_VERSION | The version number of your package |
Upload a Package
To upload, you need to generate your package first. You can do this with:
python setup.py bdist_wheel --universal
This generates a wheel package file (.whl) like your-package-1.2.3.whl that you can upload.
This assumes that you've created a
setup.pyfile for your project. Please see the official PyPA packaging guide on how to create asetup.pyfor more information. There are also different types of distributions that you might be interested in, such as a source distribution, tarball distribution, etc.
Upload via native Python tooling
The endpoint for the native Python API is:
https://python.cloudsmith.io/OWNER/REPOSITORY/
In order to authenticate for native publishing, you'll need to create a .pypirc file (in your $HOME or project directory), with the following:
[distutils]
index-servers =
pypi
cloudsmith
[cloudsmith]
repository: https://python.cloudsmith.io/OWNER/REPOSITORY/
username: USERNAME
password: API-KEY
You can then publish from your project directory using twine:
twine upload -r cloudsmith dist/PACKAGE_NAME-PACKAGE_VERSION.whl
Upload via the Cloudsmith CLI
For full details of how to install and setup the Cloudsmith CLI, see Command Line Interface.
The command to upload a Python package via the Cloudsmith CLI is:
cloudsmith push python OWNER/REPOSITORY PACKAGE_NAME-PACKAGE_VERSION.whl
Example:
cloudsmith push python org/repo boto3-1.4.4.py2.p3-none-any.whl
Upload via Cloudsmith Website
Please see Upload a Package for details of how to upload via the Website UI.
Download / Install a package
Setup
You have a choice of 2 methods to set up your Cloudsmith repository:
- Python set up via command line
- Python set up via Pip
Public Repositories
Set up via command line
Tell pip the location of your Cloudsmith repository using the the --index-url option.
pip install PACKAGE_NAME==PACKAGE_VERSION --index-url https://dl.cloudsmith.io/public/OWNER/REPOSITORY/python/simple/
Set up via Pip
Similar to set up via command-line, pip needs to be passed the --index-url configuration option. To do this add --index-url to the top of your requirements.txt (or similar) file:
--index-url https://dl.cloudsmith.io/public/OWNER/REPOSITORY/python/simple/
PACKAGE_NAME==PACKAGE_VERSION
Private Repositories
Private Cloudsmith repositories require authentication. You can choose between two types of authentication:
- Entitlement Token Authentication
- HTTP Basic Authentication.
The setup method will differ depending on what authentication type you choose to use.
Entitlement Tokens, User Credentials and API-Keys should be treated as secrets, and you should ensure that you do not commit them in configurations files along with source code or expose them in any logs.
Set up via command line
pip install PACKAGE_NAME==PACKAGE_VERSION --index-url https://dl.cloudsmith.io/TOKEN/OWNER/REPOSITORY/python/simple/
pip install PACKAGE_NAME==PACKAGE_VERSION --index-url https://USERNAME:[email protected]/basic/OWNER/REPOSITORY/python/simple/
pip install PACKAGE_NAME==PACKAGE_VERSION --index-url https://USERNAME:[email protected]/basic/OWNER/REPOSITORY/python/simple/
pip install PACKAGE_NAME==PACKAGE_VERSION --index-url https://token:[email protected]/basic/OWNER/REPOSITORY/python/simple/
Set up via Pip
Similar to set up via command-line, pip needs to be passed the --index-url configuration option. To do this add --index-url to the top of your requirements.txt (or similar) file:
--index-url https://dl.cloudsmith.io/TOKEN/OWNER/REPOSITORY/python/simple/
PACKAGE_NAME==PACKAGE_VERSION
--index-url https://USERNAME:[email protected]/basic/OWNER/REPOSITORY/python/simple/
PACKAGE_NAME==PACKAGE_VERSION
--index-url https://USERNAME:[email protected]/basic/OWNER/REPOSITORY/python/simple/
PACKAGE_NAME==PACKAGE_VERSION
--index-url https://token:[email protected]/basic/OWNER/REPOSITORY/python/simple/
PACKAGE_NAME==PACKAGE_VERSION
Private Repository Credential Security
As private repositories require authentication in order to access the repository content, when specifying a private repository in a requirements.txt file please bear in mind that the URL will contain the credentials (especially important if the requirements.txt file is shared.)
You could choose to encrypt your requirements.txt file via something like git-crypt (if you're using git or GitHub, for example).
Removing Setup
If you no longer want to install packages from the repository, remove the --index-url line from your $HOME/.pip/pip.conf file.
Extra index url
When using pip to access your packages, there are two parameter options to ensure pip searches your repository - they are --index-url and --extra-index-url.
There is an important distinction to be made between these parameters, especially from a security perspective.
Specifying --index-url will override pip's default repository and only search the specified repository. This is the recommended approach from Cloudsmith. This improves your security posture as it reduces the risk of malicious public packages being installed in place of your own.
Dependency confusion
An attack known as dependency confusion: where an attacker can claim the package on the public repository in a way that will ensure it gets chosen over the private package.
If you still wish to access third-party repositories, like pypi.org, paid-for Cloudsmith plans include upstream proxying. This allows your repository to call out to other python repositories whenever a package cannot be found in your repository. See the Upstream Proxying section below.
If your Cloudsmith plan does not include upstream proxying and some of your dependencies live outside your Cloudsmith repository, then you can also also specify extra index urls to pip. This is done by specifying --extra-index-url. When pip is supplied with extra index urls, it has a list of repositories it searches for packages (the extra urls plus the index url). Note, this list is not ordered. All repositories are considered equal and pip will simply search for the best package match according to PEP 440. Using the --extra-index-url increases your exposure to dependency confusion attacks.
See pip install for more information.
TLDR
To search your Cloudsmith repository for packages use the
--index-urlPip configuration argument.Using the
--index-urlconfiguration option will force pip to search only the Cloudsmith repository and will result in pip not being able to install public (PyPi) packages that your private package may depend on. This reduces your exposure to dependency confusion attacks.
Security Scanning
Supported
Please see our Security Scanning documentation for further information.
Upstream Proxying / Caching
Configurable Proxying Caching.
Please see Upstream Proxying for more details.
Upstreams provide a way to blend multiple Python repositories into a single repository. This allows your single Cloudsmith repository to serve packages from multiple 'upstream' repositories (like PyPi.org, Artifactory, DevPi etc). Please note, blended upstreams can be a source of dependency confusion attacks.
Key Signing Support
GPG
Troubleshooting
Please see the Troubleshooting page for further help and information.
Updated 5 months ago
