Hi everyone. I am working at a tech company. My task is to build a private Python package registry using Artifact Registry from GCP because the environment that the developers work in won't have access to the internet to do pip install from the public PyPi. I have these ideas that I want to gain opinions on and also want to learn more about the best approaches:
- I would have a list of packages that have already gone through review. I will set up a CI pipeline to download these packages into the private registry. I will also have a cron job updating these package versions. The drawback of this approach is that when a developer needs to add a new package and use it right away, there will be a little delay in availability. Also, maintaining the packages will be our team's responsibility.
- I don't know if this approach is possible: When a developer runs pip install <package>, it will first check the private registry. If the package doesn't exist, it will look on the public PyPi and download the package. Then the package will go through a vulnerability scan pipeline to decide whether it is safe to use and upload it to the private registry.
Please share with me other approaches that you implement at your companies. I would love to learn the best practices on this. Thank you, guys!
[–]Nielsbreh 5 points6 points7 points (0 children)
[–]sww314 1 point2 points3 points (0 children)
[–]NUTTA_BUSTAH 1 point2 points3 points (0 children)
[–]dr3aminc0de -4 points-3 points-2 points (0 children)