Metadata-Version: 2.4
Name: devpi-server
Version: 7.0.0b3
Summary: devpi-server: backend for hosting private package indexes and PyPI on-demand mirrors
Maintainer-email: Florian Schulze <mail@pyfidelity.com>
License-Expression: MIT
Project-URL: Bug Tracker, https://github.com/devpi/devpi/issues
Project-URL: Changelog, https://github.com/devpi/devpi/blob/main/server/CHANGELOG
Project-URL: Documentation, https://doc.devpi.net
Project-URL: Funding, https://github.com/sponsors/devpi
Project-URL: Homepage, https://devpi.net
Project-URL: Source Code, https://github.com/devpi/devpi
Keywords: pypi,realtime,cache,server
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Web Environment
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Classifier: Programming Language :: Python :: Implementation :: PyPy
Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
Classifier: Topic :: Internet :: WWW/HTTP
Requires-Python: >=3.11
Description-Content-Type: text/x-rst
License-File: LICENSE
Requires-Dist: argon2-cffi
Requires-Dist: attrs>=22.2.0
Requires-Dist: defusedxml
Requires-Dist: devpi_common<5,>3.6.0
Requires-Dist: httpdate
Requires-Dist: httpx<1
Requires-Dist: itsdangerous>=0.24
Requires-Dist: lazy
Requires-Dist: legacy-cgi; python_version >= "3.13"
Requires-Dist: passlib[argon2]
Requires-Dist: platformdirs
Requires-Dist: pluggy<2.0,>=0.6.0
Requires-Dist: pyramid>=2
Requires-Dist: repoze.lru>=0.6
Requires-Dist: setuptools<=81
Requires-Dist: sqlalchemy!=2.1.0b1,>=2
Requires-Dist: strictyaml
Requires-Dist: waitress>=1.0.1
Requires-Dist: ruamel.yaml
Dynamic: license-file

====================================================================================
devpi-server: backend for hosting private package indexes and PyPI on-demand mirrors
====================================================================================


PyPI on-demand package mirror
=============================

You can point ``uv``, ``pip`` or another Python package installer to the ``root/pypi/+simple/`` index,
serving as a transparent on-demand mirror for PyPI-hosted packages.


User specific indexes
=====================

Each user (which can represent a person, project or team) can have multiple indexes,
and can upload packages and documents to these indexes via standard ``twine`` or ``setup.py`` invocations.
Users and indexes can be manipulated through `devpi-client`_ and a RESTful HTTP API.


Index inheritance
=================

Each index can be configured to merge in other indexes so that it serves
both its uploads and all releases from other index(es).  For example, an
index using ``root/pypi`` as a parent is a good place to test out a
release candidate before you push it to PyPI.


Sensible defaults for a low friction deployment
===============================================

Get started easily and deploy a devpi-server instance with pre-configured templates for ``nginx`` and process managers.


Separate tool for Packaging/Testing activities
==============================================

The complementary `devpi-client`_ tool helps to manage users, indexes, logins and typical package upload and installation workflows.

See https://doc.devpi.net on how to get started and further documentation.


.. _devpi-client: https://pypi.org/project/devpi-client/


Support
=======

If you find a bug, use the `issue tracker at Github`_.

For general questions, use `GitHub Discussions`_ or the `devpi-dev@python.org mailing list`_.

For support contracts and paid help, contact ``mail at pyfidelity.com``.

.. _issue tracker at Github: https://github.com/devpi/devpi/issues/
.. _devpi-dev@python.org mailing list: https://mail.python.org/mailman3/lists/devpi-dev.python.org/
.. _GitHub Discussions: https://github.com/devpi/devpi/discussions



=========
Changelog
=========




.. towncrier release notes start

7.0.0b3 (2026-06-16)
====================

Deprecations and Removals
-------------------------

- Removed deprecated ``devpiserver_auth_user`` hook.

- Remove ``--keyfs-cache-size`` option and replace it with ``large_cache_size`` and ``small_cache_size`` storage options.

- Deprecated ``get_possible_indexconfig_keys``, ``get_default_config_items`` and ``normalize_indexconfig_value`` methods on index customizer in favor of new ``get_indexconfig_fields``.

- Removed lots of previously deprecated things.

- Removed experimental ``--enable-core-metadata`` command line option, the feature is now always enabled.

- Removed ``hash_spec`` from JSON responses, use ``hashes`` instead.

- Deprecated ``devpiserver_indexconfig_defaults`` hook in favor of new ``devpiserver_indexconfig_fields`` hook.

- Removed ``mirror_whitelist`` and replaced it with ``project_inheritance_rules`` in index configuration and ``inheritance_rules`` in the newly added project configuration. The replacement for the former default with an empty ``mirror_whitelist`` is ``block type:remote if local_exists``. The replacement for ``*`` is ``allow all``. To allow a specific project to be merged with upstream releases the new project config needs the ``inheritance_rules`` option to be set to ``allow all``. For now these rules are the only possibilities matching the old functionality of ``mirror_whitelist``.

- Require at least Python 3.11.

- Replaced ``devpiserver_storage_backend`` with new ``devpiserver_describe_storage_backend``.

- Fix #930: remove remaining uses of unmaintained py library.

Features
--------

- Support core-metadata hashes for local indexes. Refs #1018

- Parse and store PEP 658 metadata hashes if a remote provides them. Refs #1018

- Completely switch from ``requests`` to ``httpx``.

- Apply project/version filters on all inherited indexes instead of only the current index. This makes devpi-constrained work as a base.

- The project REST API includes the project configuration and information about inheritance from base indexes when the ``v=2`` query is added to the ``GET`` request. The inheritance information also includes warnings about inheritance cycles, missing bases and other problems.

- The project REST API allows setting configuration via ``POST``.

- When changing the ``remote_url`` any stored remote info like ETAGs or serials is invalidated.

- Fix #1091: Support ``truststore`` as SSL/TLS context provider. The package needs to be installed separately, it is not a default dependency.

- Support ``size`` and ``upload-time`` (refs #1061) fields from PEP 700 in JSON simple API version 1.1.
  If releases from remote indexes are included, the result API version is limited to the minimum supported version of all remotes.

Other Changes
-------------

- Long descriptions in version metadata are now stored in files instead of the database.
  This is mostly transparent.
  If the file doesn't exist (yet) on a replica,
  the json API will return a dictionary with the file information instead of a string.

- Renamed the ``stage`` index to ``local``. This affects the ``type`` field of the HTTP API.

- Renamed ``mirror_whitelist_inheritance`` to ``trust_inheritance_rules_from`` and the values ``intersection`` to ``none``, and ``union`` to ``type:not remote`` to make the intention more obvious.

- Since 6.9.2 only unique values where added when using ``+=`` via PATCH to all list or tuple types. Now this only applies to ACLList and the new UniqueList and UniqueTuple classes, regular list and tuple allow adding duplicate values again. This restores compatibility with devpi-pr.

- Renamed ``devpiserver_get_mirror_auth`` hook to ``devpiserver_get_remote_auth``.

- Renamed the ``mirror`` index to ``remote``. This affects the ``type`` field of the HTTP API and the "mirror_*" index options.

- Renamed ``devpiserver_mirror_initialnames`` hook to ``devpiserver_remote_initialnames``.

- Renamed ``--mirror-cache-expiry``/``mirror_cache_expiry`` option to ``--remote-refresh-delay``/``remote_refresh_delay``.

- By default the password of the root user is not set and you have to either use ``devpi-passwd`` after initialization, or one of the ``--root-passwd`` or ``--root-passwd-hash`` options with ``devpi-init``.

- Replaced the default storage backend with a new one using SQLAlchemy and optimized database schema for size and performance.

  .. warning::
      This change requires an export of your data using ``devpi-export`` with the previous major devpi-server version 6.x and an import using ``devpi-import`` with devpi-server 7.x.

6.20.2 (2026-06-11)
===================

Bug Fixes
---------

- Fix logic error which allowed unauthorized fetching of replication data.


6.20.1 (2026-05-11)
===================

Bug Fixes
---------

- Pass through request headers when streaming .metadata from mirror. Refs #1018


6.20.0 (2026-04-30)
===================

Features
--------

- Add experimental bare bones core-metadata ([PEP 658](https://peps.python.org/pep-0658/), [PEP 714](https://peps.python.org/pep-0714/)) support with ``--enable-core-metadata`` command line option and ``mirror_provides_core_metadata`` mirror index option. Refs #1018

Bug Fixes
---------

- Update replica status when the replica is waiting for new serials using the streaming changelog endpoint.


6.19.3 (2026-04-13)
===================

Bug Fixes
---------

- Fix #1112: Parse simple JSON reply even with wrong content-type in reply if the body seems to contain JSON.

- Return stale project list for mirrors when the lock can't be acquired within the timeout.

- Fix importing of toxresults from devpi-server 6.5.0 to 6.9.0 where the wrong hash was stored.

