Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add new upload-sequence command #509

Open
shubhbapna opened this issue Nov 20, 2024 · 4 comments
Open

add new upload-sequence command #509

shubhbapna opened this issue Nov 20, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@shubhbapna
Copy link
Collaborator

Context

Fromager provides an end to end solution to build wheels from scratch as part of a trusted supply chain. However, one crucial part of it is using sources from a trusted artifact store. The downstream pattern of using fromager is to first bootstrap and get the build order file which is then used to upload the sdist to our private store after which we run build-sequence to actually build and consume the wheels. In the build-sequence step we need to fetch the sdists from our private trusted store instead of the ones in publicly hosted stores. So we have to run download-sequence first to ensure that build-sequence uses these sdists. This is because the sdist url in the build order file points to the public ones and we cannot have build-sequence download the sdists from there.

This has caused us to rely on separate service (which depends on fromager) to upload all these artifacts as well as ensure that download-sequence places the downloaded sdists in the right locations such that when build-sequence runs it thinks that it has already downloaded the sdists and doesn't attempt to download them from the public servers.

Feature Request

Add a upload-sequence command that takes a build order file, uploads the sdists from public servers to private servers and updates all the urls in the build order to point to the private servers.

  • This will ensure that the uploading service is a first class citizen of fromager and any changes in fromager that impact it are immediately caught within fromager itself
  • We don't have to rely on download-sequence placing the sdists correctly and build-sequence can use the sdists url directly from the build order file
@shubhbapna shubhbapna added the enhancement New feature or request label Nov 20, 2024
@dhellmann
Copy link
Member

Another aspect of this to consider for updating the URLs in the build-order file: We would have to assume that the tool that uploads the file knows (is told or can compute) the URL where it can be fetched. Is that always going to be true?

@shubhbapna
Copy link
Collaborator Author

Maybe we can make it a requirement?

@dhellmann
Copy link
Member

We could probably make it a requirement. I expect the way that will work for us downstream after our upcoming migration is to upload the artifact using the OCI APIs, then resolve the package using the PyPI API and use that to get the URL.

@shubhbapna
Copy link
Collaborator Author

Haven't worked with OCI APIs before, maybe it returns the download url in its response?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants