Go to Chainguard.dev
Send feedback Contact
Chainguard Libraries for Python

Chainguard Libraries for Python Overview

Python libraries for your application development
Chainguard Libraries Python Overview

Introduction

Python is one of the most popular programming languages in the world. The open Python Package Index (PyPI) contains over 600,000 libraries for application development, machine learning, data science, and many other use cases. Chainguard Libraries for Python rebuilds these powerful open source projects within the Chainguard Factory, enabling access to the Python ecosystem while dramatically reducing risk from an untrusted software supply chain.

Chainguard Libraries for Python enables access to a growing collection of Python packages rebuilt from source. New releases of common libraries or artifacts requested by customers are added to the index by an automated system. Any request for a library or library version missing in Chainguard Libraries automatically triggers a process to provision the artifacts from relevant sources if available. In combination with third-party software repository managers, you can use Chainguard Libraries for Python as a secure source of truth for your development process.

Runtime requirements

The runtime requirements for Python artifacts available from Chainguard Libraries for Python are identical to the requirements of the original upstream project. For example, if a Python wheel retrieved from PyPI requires Python 3.10 or higher, the same Python 3.10 runtime requirement applies to the binary artifact from Chainguard Libraries for Python.

Some Python libraries depend on native binaries supplied by the operating system or included in the distribution archive. For these libraries the following requirements apply:

  • Only Linux operating system supported, no Windows or MacOS versions.
  • Linux distributions based on glibc 2.39 or higher, including Chainguard Containers based on Chainguard OS/Wolfi.
  • Processor architectures x86_64 and aarch64 only.

Technical details

Most organizations consume Chainguard Libraries for Python through a repository manager such as Cloudsmith, JFrog Artifactory or Sonatype Nexus Repository. For full details, refer to our Global Configuration documentation. The rest of this article provides details of the underlying implementation of Chainguard Libraries for Python and how to access individual libraries manually.

The Chainguard Libraries for Python index uses the PyPI repository format and only includes release artifacts of the libraries built by Chainguard from source.

The URL for the repository is:

https://libraries.cgr.dev/python/

Use the URL with your username and password retrieved with chainctl to access the Chainguard Libraries for Python repository manually with a browser.

After successful login, you are redirected to the simple sub-context at https://libraries.cgr.dev/python/simple/ that allows you to inspect the available packages. The top level contains an alphabetical list of packages:

2captcha-python
3d-converter
absql
ahrs
amqpstorm
annogesic
apiflask
apscheduler
...

A list of all wheels and tarballs for the versions of a specific package is available in the context of the package. For example, the apiflask context at https://libraries.cgr.dev/python/simple/apiflask/ shows the following list:

Links for apiflask
apiflask-0.1.0-py3-none-any.whl
apiflask-0.1.0.tar.gz
apiflask-0.10.0-py3-none-any.whl
apiflask-0.10.0.tar.gz
apiflask-0.10.1-py3-none-any.whl
apiflask-0.10.1.tar.gz
apiflask-0.11.0-py3-none-any.whl
apiflask-0.11.0.tar.gz
apiflask-0.12.0-py3-none-any.whl
apiflask-0.12.0.tar.gz
...

Each package name is a link with to the specific binary. The link includes long unique identifiers and cannot be determined without browsing. The list uses ascending order for the full name including the version.

Use the search functionality on pypi.org to locate packages of interest and then browse in the simple index to determine available versions in Chainguard Libraries for Python.

Use curl, specify the username and password retrieved with chainctl for basic user authentication and use the URL of the file to download and save the file with the original name:

With .netrc authentication:

curl -n -L -O https://libraries.cgr.dev/files/...

With environment variables:

curl -L --user '$CHAINGUARD_PYTHON_IDENTITY_ID:$CHAINGUARD_PYTHON_TOKEN' \
  -O https://libraries.cgr.dev/files/...

The option -L is required to follow redirects for the actual file locations.

The Chainguard Libraries for Python repository does not include all packages from PyPI. Chainguard Libraries for Python are rebuilt from source and require that source be available. Therefore, packages that do not provide a valid source URL cannot be rebuilt within the Chainguard Factory.

Since the Chainguard Libraries for Python index is not complete, you should strongly consider setting the PyPI public package index as a fallback within your repository manager. In this case, failed requests are logged by Chainguard and, where possible, the package is prioritized for new build from source. Typically, access is configured globally on a repository manager for your organization.

Alternatively, you can use the token for direct access to the Chainguard Libraries for Python index as discussed in Build configuration.

Management and Maintenance Prev   Global Configuration   Next