从私有bitbucket回购tar.gz文件进行pip安装
[英]pip install from a private bitbucket repo tar.gz file
问题描述
I have a common private repo that depends on other private repos. 
我有一个依赖于其他私人仓库的通用私人仓库。
I have a build process that creates a tar.gz file. 我有一个创建tar.gz文件的构建过程。 it's on this url 它在这个网址上
https://git.my_company.com/projects/RA/repos/my-common-module/browse/scripts/testing_dist/api_common_module-4.0.10.tar.gz
here is the ssh url 这是ssh网址
ssh://git@git.my_company.com:8500/ra/my-common-module.git SSH://git@git.my_company.com:8500 / RA /我-共module.git
my question is, what's the pip command I should use to install it from the terminal and a follow-up question, what should I write in the requirements.txt file to notate that installation? 我的问题是,应该使用什么pip命令从终端安装它,以及后续问题,我应该在requirements.txt文件中写些什么来表示该安装?
1 个解决方案
解决方案1
2 已采纳 2019-01-27 07:44:11
You can do this, but it's a potential security risk, so proceed with caution. 您可以执行此操作,但这是潜在的安全风险,因此请谨慎操作。
Bitbucket Cloud, Bitbucket Server and GitHub allow you to generate App Passwords (Bitbucket Cloud) or Personal Access Tokens (Bitbucket Server, GitHub). Bitbucket Cloud,Bitbucket Server和GitHub允许您生成应用程序密码(Bitbucket Cloud)或个人访问令牌(Bitbucket Server,GitHub)。 These can be limited in scope (eg read only) so that the passwords can't be used to perform destructive actions. 这些密码的范围可能受到限制(例如,只读),因此密码不能用于执行破坏性操作。 You can use these to embed a username and password directly to a URL that's pip-installable, eg: 您可以使用它们将用户名和密码直接嵌入可通过pip安装的URL,例如:
pip install -e git+https://charlie:abcdefgh12345678@bitbucket.org/charlie/snakesonaplane.git@master#egg=snakesonaplane
(Note: not a real repo) (注意:不是真正的仓库)
Here's the problem: it's almost always dangerous to commit any kind of credential to a project where other people can see it. 这就是问题所在:将任何类型的证书提交给其他人可以看到的项目几乎总是危险的。 Putting something like this into your requirements.txt , for example, is almost always going to be a bad idea. 例如,将这样的内容放入您的requirements.txt中几乎总是一个坏主意。 Even if it's a read only password, and even if anyone who might have access to it already has access to everything else it would otherwise provide them access to, it's still a hole. 即使这是一个只读密码,即使可以访问该密码的任何人都已经可以访问其他所有密码,否则它将为他们提供访问权限。 Imagine if one of your teammates leaves your group/company/etc., they may potentially retain read only access to all your work for as long as the app password is valid. 想象一下,如果您的一个队友离开了您的组/公司/等,只要应用程序密码有效,他们就可能保留对您所有工作的只读访问权限。
The "ideal" solution here is to host your own PyPi server. 这里的“理想”解决方案是托管您自己的PyPi服务器。 You can use this to host private packages so they can be pip installed without embedding credentials into requirements files, and if you work for a large organisation there's a fair chance one might already exist. 您可以使用它来托管私有软件包,以便可以通过pip安装它们而无需将凭据嵌入需求文件中,并且如果您在大型组织工作,则很可能已经存在一个私有软件包。 This is a pretty googlable topic so I won't reproduce the wealth of info, but it's worth looking into. 这是一个可以商讨的话题,因此我不会复制大量信息,但是值得研究。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.