Search code examples
pythondependency-managementpypipython-packaging

How can I build / distribute / install Python packages with limited access to packages from PyPI?


At my workplace pip is not able to access the outside world to download packages. I'm not sure what system exactly is preventing this, but ideally I shouldn't be installing any old packages from the internet anyway. The only way I can install packages from online is to download a source distribution or wheel from the PyPI site or from the package's github and run pip install --no-deps <package path> so that pip doesn't attempt to go online for dependencies which would just hang for a long time and then fail.

I am developing some tools for my own use, and would like to package and distribute them to other members of my team so that they can be installed from a tarball or wheel, and also not require them to go online and pull more dependencies manually. The tools I'm writing are using the standard library so they don't require any online dependencies.

I'm leaning towards disregarding deprecation and using the setuptools versions of the now-removed distutils module, and writing a setup.py file for my package. However, this is deprecated or at least seems heavily discouraged. The setuptools user guide gives instructions for using the build package, but this package has a set of dependencies, and some of those have their own dependencies, and manually installing all of those packages by hand is a serious headache.

At the top-level build requires:

  • colorama (this feels like it should be optional)
  • importlib-metadata
  • packaging
  • pyproject_hooks
  • tomli

and some of these have their own list of dependencies.

Does anyone in a similarly restricted environment have a preferred method for building and installing internal packages? If so, what is your process?

In an ideal world I could just install all of the dependencies I need with no problem, but I understand that has security implications and I don't think I'll be able to make any sort of exceptions for pip's access being blocked.

What I've Tried

I have read documentation for various Python packaging methods, and the simplest I could find that isn't "deprecated" still requires the build package, which as I've said requires a large-enough tree of dependencies that installing them all manually is out of the question and still is in a gray area of acceptability for security reasons.

The setuptools documentation recommends against the use of setup.py: setuptools quickstart

The latest version of Python officially removes distutils from the standard library and continuing to use setup.py builds with modules from setuptools seems to be discouraged for the most part PEP 0632


Solution

  • In my situation it seems that the most straightforward course of action is to ignore the fact that directly using setup.py is discouraged and do it anyway. With setup.py importing setup from setuptools I'm able to build a package that can be installed with pip by running python setup.py sdist

    Of the suggestions in the comments this seems to be only way to build a package that only requires installation of setuptools if it isn't already installed.

    I would still like a more modern and elegant solution, but that may not be possible due to whatever is restricting pip's access to the internet.