Python Repository

Python is an awesome general-purpose programming language (we use it!). Cloudsmith is proud to support fully-featured registries for managing your own public and private python packages.

For more information on Python, please see:

• Python: The official website for Python
• PyPi: The Python Package Index

Contextual Documentation

The examples in this document are generic. Cloudsmith provides contextual setup instructions within each repository, complete with copy n' paste snippets (with your namespace/repo pre-configured).

In the following examples:

Upload a Package

To upload, you need to generate your package first. You can do this with:

python setup.py bdist_wheel --universal

This generates a wheel package file (.whl) like your-package-1.2.3.whl that you can upload.

📘

This assumes that you've created a setup.py file for your project. Please see the official PyPA packaging guide on how to create a setup.py for more information. There are also different types of distributions that you might be interested in, such as a source distribution, tarball distribution, etc.

Upload via native Python tooling

The endpoint for the native Python API is:

https://python.cloudsmith.io/OWNER/REPOSITORY/

In order to authenticate for native publishing, you'll need to create a .pypirc file (in your $HOME or project directory), with the following:

[distutils]
index-servers =
  pypi
  cloudsmith
[cloudsmith]
  repository: https://python.cloudsmith.io/OWNER/REPOSITORY/
  username: USERNAME
  password: API-KEY

You can then publish from your project directory using twine:

twine upload -r cloudsmith dist/PACKAGE_NAME-PACKAGE_VERSION.whl

Upload via the Cloudsmith CLI

For full details of how to install and setup the Cloudsmith CLI, see Command Line Interface.

The command to upload a Python package via the Cloudsmith CLI is:

cloudsmith push python OWNER/REPOSITORY PACKAGE_NAME-PACKAGE_VERSION.whl

Example:

cloudsmith push python org/repo boto3-1.4.4.py2.p3-none-any.whl

Upload via Cloudsmith Website

Please see Upload a Package for details of how to upload via the Website UI.

Download / Install a package

Setup

You have a choice of 2 methods to set up your Cloudsmith repository:

• Python set up via command line
• Python set up via Pip

Public Repositories

Set up via command line

Tell pip the location of your Cloudsmith repository using the the --index-url option.

pip install PACKAGE_NAME==PACKAGE_VERSION --index-url https://dl.cloudsmith.io/public/OWNER/REPOSITORY/python/simple/

Set up via Pip

Similar to set up via command-line, pip needs to be passed the --index-url configuration option. To do this add --index-url to the top of your requirements.txt (or similar) file:

--index-url https://dl.cloudsmith.io/public/OWNER/REPOSITORY/python/simple/
PACKAGE_NAME==PACKAGE_VERSION

Private Repositories

📘

Private Cloudsmith repositories require authentication. You can choose between two types of authentication:

• Entitlement Token Authentication
• HTTP Basic Authentication.

The setup method will differ depending on what authentication type you choose to use.

🚧

Entitlement Tokens, User Credentials and API-Keys should be treated as secrets, and you should ensure that you do not commit them in configurations files along with source code or expose them in any logs.

Set up via command line

pip install PACKAGE_NAME==PACKAGE_VERSION --index-url https://dl.cloudsmith.io/TOKEN/OWNER/REPOSITORY/python/simple/

pip install PACKAGE_NAME==PACKAGE_VERSION --index-url https://USERNAME:[email protected]/basic/OWNER/REPOSITORY/python/simple/

pip install PACKAGE_NAME==PACKAGE_VERSION --index-url https://USERNAME:[email protected]/basic/OWNER/REPOSITORY/python/simple/

pip install PACKAGE_NAME==PACKAGE_VERSION --index-url https://token:[email protected]/basic/OWNER/REPOSITORY/python/simple/

Set up via Pip

Similar to set up via command-line, pip needs to be passed the --index-url configuration option. To do this add --index-url to the top of your requirements.txt (or similar) file:

--index-url https://dl.cloudsmith.io/TOKEN/OWNER/REPOSITORY/python/simple/
PACKAGE_NAME==PACKAGE_VERSION

--index-url https://USERNAME:[email protected]/basic/OWNER/REPOSITORY/python/simple/
PACKAGE_NAME==PACKAGE_VERSION

--index-url https://USERNAME:[email protected]/basic/OWNER/REPOSITORY/python/simple/
PACKAGE_NAME==PACKAGE_VERSION

--index-url https://token:[email protected]/basic/OWNER/REPOSITORY/python/simple/
PACKAGE_NAME==PACKAGE_VERSION

Private Repository Credential Security

As private repositories require authentication in order to access the repository content, when specifying a private repository in a requirements.txt file please bear in mind that the URL will contain the credentials (especially important if the requirements.txt file is shared.)

You could choose to encrypt your requirements.txt file via something like git-crypt (if you're using git or GitHub, for example).

Removing Setup

If you no longer want to install packages from the repository, remove the --index-url line from your $HOME/.pip/pip.conf file.

Extra index url

When using pip to access your packages, there are two parameter options to ensure pip searches your repository - they are --index-url and --extra-index-url.

There is an important distinction to be made between these parameters, especially from a security perspective.

Specifying --index-url will override pip's default repository and only search the specified repository. This is the recommended approach from Cloudsmith. This improves your security posture as it reduces the risk of malicious public packages being installed in place of your own.

📘

Dependency confusion

An attack known as dependency confusion: where an attacker can claim the package on the public repository in a way that will ensure it gets chosen over the private package.

If you still wish to access third-party repositories, like pypi.org, paid-for Cloudsmith plans include upstream proxying. This allows your repository to call out to other python repositories whenever a package cannot be found in your repository. See the Upstream Proxying section below.

If your Cloudsmith plan does not include upstream proxying and some of your dependencies live outside your Cloudsmith repository, then you can also also specify extra index urls to pip. This is done by specifying --extra-index-url. When pip is supplied with extra index urls, it has a list of repositories it searches for packages (the extra urls plus the index url). Note, this list is not ordered. All repositories are considered equal and pip will simply search for the best package match according to PEP 440. Using the --extra-index-url increases your exposure to dependency confusion attacks.

See pip install for more information.

📘

TLDR

To search your Cloudsmith repository for packages use the --index-url Pip configuration argument.

Using the --index-url configuration option will force pip to search only the Cloudsmith repository and will result in pip not being able to install public (PyPi) packages that your private package may depend on. This reduces your exposure to dependency confusion attacks.

Security Scanning

Supported
Please see our Security Scanning documentation for further information.

Upstream Proxying / Caching

Configurable Proxying Caching.

Please see Upstream Proxying for more details.

Upstreams provide a way to blend multiple Python repositories into a single repository. This allows your single Cloudsmith repository to serve packages from multiple 'upstream' repositories (like PyPi.org, Artifactory, DevPi etc). Please note, blended upstreams can be a source of dependency confusion attacks. This attack vector will be addressed in future versions of Cloudsmith.

Key Signing Support

GPG

Troubleshooting

Please see the Troubleshooting page for further help and information.