Get Started with private PyPI packages

Get Started with private PyPI packages

Get Started with private PyPI packages

Bytesafe Community Edition (CE) is a free, robust security platform designed to protect organizations from open source software supply chain attacks. It’s an ideal tool to manage your Python projects and packages securely. Here’s a simple guide to get you started with Bytesafe CE and Python.

Setting Up Bytesafe CE

Bytesafe CE is configured to use PostgreSQL for data management and Redis for efficient caching. It stores package artifacts on the local file system, making it a convenient solution for many use cases. For more information on configurable options in Bytesafe CE, see the docs.

Quickstart Using Docker Compose

Bytesafe CE can be installed quickly using Docker Compose which is explained in the following step-by-step guide:

  1. Download the sample docker-compose.yml file to your host from the Bytesafe Community Edition Git repository.
  2. Create an .env file with a unique and secret value for the DATA_ENCRYPTION_KEY environment variable.
  3. Use Docker Compose to start Bytesafe Community Edition, PostgreSQL, and Redis.

$ curl -O https://raw.githubusercontent.com/bitfront-se/bytesafe-ce/master/docker-compose.yml

$ echo "DATA_ENCRYPTION_KEY='$(cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 50 | head -n 1)'" > .env

$ docker compose up

You can then open a web browser and create your workspace owner account at http://localhost:8081/.

After you have created the workspace owner account, please go ahead and create your first PyPI registry, let’s call it “pypi-firewall

Working with Python Packages

Once you have Bytesafe CE installed and running, you can start managing your Python projects and packages. Bytesafe offers full support for the Python ecosystem with private Python (PyPI) firewalls and registries for your packages and dependencies. You can interact with Bytesafe using your regular tools, such as pip for installing and twine for uploading Python packages.

Note: This post provides a general overview of getting started with Bytesafe CE and Python. For more detailed information see the Python packages | Bytesafe documentation.

Specify a default PyPI firewall or registry

To remove the need of explicitly stating what registry should be used for each request, you can add the configuration to your pip configuration file.

To configure pip, edit the file ~/.config/pip/pip.conf or $VIRTUAL_ENV/pip.conf (%HOME%\pip\pip.ini on Windows):

Note: Replace localhost:8081 below if you have set up a dedicated host for bytesafe, i.e. https://bytesafe.your.domain/ (See URL_PREFIX in Bytesafe CE documentation)

[global]

index-url = https://bytesafe:01GHXM...JBZ@localhost:8081/python/pypi-firewall/

Publish a Python package using twine

To publish (upload) packages using Twine you need to edit the ~/.pypirc (%HOME%\.pypirc) file.

[distutils]

index-servers =

pypi-firewall

[pypi-firewall]

repository = http://localhost:8081/python/pypi-firewall/

username = bytesafe

password = {TOKEN}

You can then publish (a built package) with:

$ python3 -m twine upload --repository pypi-firewall dist/*

Install a Python package using pip

To install Python packages using pip, see the example below. The syntax below assumes you have added user, token and firewall/registry in your pip configuration file:

$ pip install {PACKAGE}

If you have previously installed a package you may want to force `pip` to avoid using the cache. You do this by using the `--no-cache-dir` argument to make sure packages are downloaded from Bytesafe instead of using the local cache.

Proxy pypi.org as an upstream

Proxy any public Python package index with Bytesafe by adding the public Python Package Index as an upstream for a registry. This configuration is enabled for the default registry created when first entering a new workspace.

To add an upstream manually go to the upstreams tab for a registry and click Add upstream button.

In the sidebar, select the public registry, PyPI - https://pypi.org/simple in the drop-down list or add any other Python Package Index.

add-registry-upstream

No additional information is required to pull packages from the public registry.

Users that also want to publish packages to the public registry are required to provide their authentication token.

Additional resources

The following video explains how to get started with Bytesafe SaaS and Python. There are some differences in feature between Bytesafe CE and Bytesafe SaaS, but the setup and configuration are identical.