--- title: "Introducing IPWHL: an alternative Python packaging" date: 2022-06-19 draft: true lang: en categories: [ announcement ] tags: [] translationKey: "announce-ipwhl" --- ## What is IPWHL? The interplanetary wheels (IPWHL) are platform-unique, singly-versioned Python built distributions backed by IPFS. It aims to be a downstream wheel supplier in a similar fashion to GNU/Linux distributions, whilst take advantage of a content-addressing peer-to-peer network to provide a reproducible, easy-to-mirror source of packages. On IPWHL, for each platform (architecture, operating system and Python implementation and version), there exists only one single built distribution. The collection of these distribution packages are given as a single IPFS CID. An installer can use solely this content ID and packages names to reproduce the exactly same environment on every platform. The official IPWHL repository will provide exclusively free software. However, deriving the repository should be trivial and is a supported use case. ## Why? The cheese shop is great, but choosing cheeses from it can often be confusing. Dependency resolution is expensive, and version requirements are not future-proof. In order to avoid breakage, people usually have to pin packages on the installer side, which is redundant and difficult to validate manually. Additionally, we believe it is not the packaging users' job to do this; they should be able to save their time doing what they do best: writing and using software. Moreover, there are millions of ways for a piece of cheese to rot on the way home from the (almost) lawless cheese shop. Everyone can sell at the shop, and thus typosquatting is a common exploit. In addition, cheeses from the shop are not independently verifiable: the checksums are provided along with the files so the shop is the single point of failure for security attacks. There are ongoing efforts to integrate TUF into Python packaging toolchain, however it is unlikely that they can entirely mitigate this due to the centralized nature of the inherent architecture. Centralization also makes it really difficult for mirrors to be useful for the users: the cheese shop is not aware if any of its mirrors, let alone redirecting to the closest one. Mirroring is hardly a collaborative effort, one either provide everything for an entire region, or give up. On the other hand, many organizations host their Python packages and their dependencies on dedicated machines running 24/7, but the resources are mostly gone to waste when unused by the companies themselves. IPWHL makes use of IPFS and statically declared and carefully curated metadata to try to solve most the listed problems. In addition to providing only one wheel version at a time, source distributions are not supplied to avoiding executing untrusted code on the users' machine. ## How to package for IPWHL TBD ## How to use IPWHL? ### Setting up IPFS IPFS has a well-documented [installation guide](https://docs.ipfs.io/install/). It is worth noting that several GNU/Linux distributions and BSD-based OSes may have already included it in their repositories. Afterwards, please follow the IPFS quick-start guide. Some downstream go-ipfs packages may also contains a init-system service to automatically manage the IPFS daemon. By default, the daemon opens a local IPFS gateway at port 8080. ### Use it To use IPWHL repository, we can simply replace the PyPI URL to the repository through an IPFS gateway. For pip, you can do this by changing `index-url`: ```sh pip config --site set global.index-url "http://localhost:8080/ipfs/$IPWHL_CID" ``` Mirroring a release is also as simple as pinning its CID: ```sh ipfs pin add $IPWHL_CID ``` ## Feedback TBD