1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
---
title: "Introducing IPWHL: an alternative Python packaging"
date: 2022-06-19
lang: en
categories: [ announcement ]
tags: []
translationKey: "announce-ipwhl"
---
This post was excerpted from [discuss.python.org][discuss]
[discuss]: https://discuss.python.org/t/introducing-ipwhl-an-alternative-python-package-repository
## What is IPWHL?
The [interplanetary wheels][IPWHL] are platform-unique, singly-versioned Python
built distributions backed by IPFS. It aims to be a downstream wheel supplier
in a similar fashion to GNU/Linux distributions, whilst take advantage of a
content-addressing peer-to-peer network to provide a reproducible,
easy-to-mirror source of packages.
On IPWHL, for each platform (architecture, operating system and Python
implementation and version), there exists only one single built distribution.
The collection of these distribution packages are given as a single IPFS CID.
An installer can use solely this content ID and packages names to reproduce the
exactly same environment on every platform.
The official IPWHL repository will provide exclusively free software. However,
deriving the repository should be trivial and is a supported use case.
[IPWHL]: https://sr.ht/~cnx/ipwhl
## Why?
IPWHL is created as a curated and decentralized Python package repository.
PyPI repository is uncurated: anyone can publish a package there, which enables
typosquatting and some other exploits. In contrast, by controlling which
packages can go into IPWHL, we reduces risk of distributing malware
significantly. Decentralizing the repository with IPFS makes mirroring more
helpful and cost-saving. Additionally, by making the wheels singly-versioned,
IPWHL is expected to save time for dependency resolution.
## How to use IPWHL?
### Setting up IPFS
IPFS has a well-documented [installation guide](https://docs.ipfs.io/install/).
It is worth noting that several GNU/Linux distributions and BSD-based OSes may
have already included it in their repositories. Afterwards, please follow the
IPFS quick-start guide. Some downstream go-ipfs packages may also contains a
init-system service to automatically manage the IPFS daemon. By default, the
daemon opens a local IPFS gateway at port 8080.
### Use it
To use IPWHL repository, we can simply replace the PyPI URL to the repository
through an IPFS gateway. For pip, you can do this by changing `index-url`:
```sh
pip config --site set global.index-url "http://localhost:8080/ipfs/$IPWHL_CID"
```
Mirroring a release is also as simple as pinning its CID:
```sh
ipfs pin add $IPWHL_CID
```
## Feedback
IPWHL is in its early stage, so we would appreciate if you can let us know how
you feel about it.
|
