https://pantsbuild.org/ logo
Join Slack
Powered by
Is there a way to let pants bootstrap itself witho...
# general
f
Is there a way to let pants bootstrap itself without reaching out to the internet? That is, is there a way to pre-download the packages that it will need and somehow distribute them to systems that will need to to run the 
./pants
script?
w
there is not a way to download everything unfortunately. it’s possible to lock down the 
pants
script quite a bit (replacing the virtualenv) by replacing it with a 
pex
though.
f
I guess my use case is that our security team would really like us to avoid reaching out to pypi (and these days, i'm inclined to agree). I guess pants reaches out to PyPI and crates.io as well?
w
no, not to crates.io: we release binary wheels
if you adjust the 
pants
script to point it at an Artifactory/caching-proxy for that PyPI resolve, that locks things down quite a bit… presumably you already are for the rest of your python resolves?
f
haha nope, we're relying on fedora packaging being kosher and pretending like language-level packaging doesn't exist
w
so you have no 
python_requirements
…?
f
nope
w
wow. interesting
f
we're basically living in RPM dependency soup
w
anywho: regarding the 
pants
script: yea, can either point that at an artifactory/caching-proxy-instance/collection of wheels, or build a PEX
… oh. or, use the release PEXes, which are not well documented: https://github.com/pantsbuild/pants/releases
f
building a pex still requires that someone bless the things that go into the pex, but that's probably easier than getting the caching-proxy policy right
i mean you can just download the pex and throw it in your repo i guess
okay well at least there's options; thanks for the info!
h
We haven't done a very good job releasing PEXes, in part because I removed some automation of that process to unblock switching from Travis to GitHub Lmk if you do go with release PEXes and we can fix that
f
Throwing a set of wheels in s3/cloudfront and pointing the script at it may be easy enough. I don't really need offline installs, I just need to vet what the script is picking up
h
Speaking of which, have you seen @happy-kitchen-89482’s design doc about supply chain attacks and Pants's installation? https://docs.google.com/document/d/17Y6_YjLqv6hY5APWLaRw5CMvr_FVDBIWK6WS57mioNg/edit
😻 2
f
no but this is great
h
Great! And we're eagerly pushing to finish the lockfile project in Pants 2.7, including per-tool lockfiles when you're installing things like Flake8 and Black. There, lockfiles must be fully comprehensive and include hashes Supply chain attacks are top of mind and we're committed to Pants helping to reduce the risk
f
This is great information, thanks!
Supply chain attacks are like the hipster security issue of 2021, so hot right now
1
😁 3
I joke, but it is an important issue and I'm glad to see that y'all are taking it seriously
💯 2
w
…oh, true. even if you have no requirements, you’ll still be reaching out to the internet for tools =/
h
I am very hip 🙂 and we are taking this issue seriously, hence that document
p
aside from artifactory, do you know of a good caching proxy?
f
sonatype nexus
👍 1
devpi if you're cheap and/or a masochist
👍 1
p
Thanks! Will check out devpi. 🙂
f
i've actually had trouble getting devpi caching to work properly, even for simple uses on my personal laptop, but that's just my experience
p
HM. I'd like something local for when I'm fixing up dockerfiles and nexus is java which competes for memory.
f
give it a try, there are tutorials that purportedly explain how to set it up
2 Views
Open in Slack
PreviousNext
Powered by