python - 在 Pypi 上注册一个内部包

Question

我在某处读到，如果您为专有工作制作内部 Python 包，您仍应在 PyPi 上注册名称以避免 future 潜在的依赖性问题。

如何在不公开发布我的代码的情况下执行此操作？这个包包含在我的工作中内部使用的代码。我应该使用我想要保留的名称制作一个空的 python 包并将其上传到 PyPi 吗？然后在工作时使用 git 而不是 PyPi 安装我的包？

上传一个空包似乎是一件愚蠢的事情，只会惹恼其他人。但是我找不到只注册名称的方法。

Answer 1

Since the register command is deprecated and not supported anymore ，您将必须执行以下步骤:

1. 创建一个 stub setup.py，包含空包列表、初始版本和填充的元数据
2. 构建并上传包
3. 转到 PyPI并删除您刚刚上传的初始包版本

这样，包名称将保留给您，因为您现在已注册为它的所有者，但搜索包将不会产生任何结果，任何直接访问都将导致 404。

假设您要保留包名称 foo。步骤:

1. 创建一个新的 setup.py stub 。确保 packages 列表是空的，这样你就不会不小心上传一些代码:

   from setuptools import setup
   
   setup(
       name='foo',
       version='0.0.1',
       description='',
       long_description='',
       url='https://www.example.com',
       author='me',
       author_email='me@example.com',
       packages=[],
       classifiers=['Development Status :: 1 - Planning'],
   )
   

2. 构建并上传包:

   $ python setup.py bdist_wheel upload
   running bdist_wheel
   running build
   ...
   running upload
   Submitting /tmp/foo/dist/foo-0.0.1-py3-none-any.whl to https://upload.pypi.org/legacy/
   Server response (200): OK
   

3. 删除上传的轮子:转到项目页面https://pypi.python.org/pypi?%3Aaction=pkg_edit&name=foo，在这里您可以找到上传的列表wheels - 选择你上传的一个，然后按 Remove。

现在您已经保留了项目名称，因为没有人能够上传包 foo 除非您授予他们 PyPI 的管理员权限:

$ python setup.py bdist_wheel upload
running bdist_wheel
running build
...
running upload
Submitting /tmp/foo/dist/foo-0.0.2-py3-none-any.whl to https://upload.pypi.org/legacy/
Upload failed (403): The user 'bar' is not allowed to upload to project 'foo'. See https://pypi.org/help#project-name for more information.
error: Upload failed (403): The user 'bar' is not allowed to upload to project 'foo'. See https://pypi.org/help#project-name for more information.

$ twine upload dist/foo-0.0.2-py3-none-any.whl 
Uploading distributions to https://upload.pypi.org/legacy/
Uploading foo-0.0.2-py3-none-any.whl
HTTPError: 403 Client Error: The user 'bar' is not allowed to 
upload to project 'foo'. See https://pypi.org/help#project-name for 
more information. for url: https://upload.pypi.org/legacy/

任何直接访问尝试都将以 404 结束:

$ curl -I https://pypi.python.org/pypi/foo
HTTP/2 404

通过 pip 安装将按预期失败:

$ pip install foo
Collecting foo
  Could not find a version that satisfies the requirement foo (from versions: )
No matching distribution found for foo

PEP 541

请注意，包索引名称保留 ( PEP 541 ) 上有一个 PEP，它定义了包索引中无法访问、已放弃和无效的项目。在 Name conflict resolution for active projects 部分，它指出:

None of the following qualify for package name ownership transfer:

...

User A owns a project X outside the Package Index. User B creates a package under the name X on the Index. After some time, User A wants to publish project X on the Index but realizes name is taken. This is true even if User A's project X gains notability and User B's project X is not notable.

因此，尽管 PEP 确认没有人可以从您那里拿走一个活跃项目的名称，但在不活跃项目的情况下并不能保证这一点，这是防止域名抢注的一个很好的对策.我对此的理解是，如果你现在保留一个名称而不开发任何东西，而在未来，一个开源项目以该名称出现并变得非常流行，你可以打赌项目所有者的权利将被剥夺。

另外，请注意，空包或没有功能的包可能会被视为无效包并被删除:

A project published on the Package Index meeting ANY of the following is considered invalid and will be removed from the Index:

...

• project is name squatting (package has no functionality or is empty);

• project name, description, or content violates the Code of Conduct; or

• project is abusing the Package Index for purposes it was not intended.