# What's new in
# pulp-python 2025
Gerrod Ubben : pulp-python lead
slides: https://hackmd.io/@gerrod/r14uGq5W-e
---
## The biggest change...
### Our new team member: Jitka!
Keep an eye out for the handle @jobselko
---
## The year so far
- This year we have had 9 new releases: 3.13 - 3.21
- Faster turn around on releasing merged features
- Lots more upstream use, new community members filing issues/asking questions on matrix & discourse
---
### New pulp-python features
* Repair metadata command & endpoint (3.13/15)
* Pull-through caching filtering on remote's include/excludes list (3.14)
* Auto-adding pull-through content to the repository (3.14)
* Synchronous package upload support (3.19)
* Distribute from a repository-version (3.21)
* Scan a repository-version for package vulnerabilities (3.21)
---
### Repair metadata
* Repair corrects the metadata stored on the PythonPackageContent model to what is in the artifact. Works on on-demand content too!
* Repair command added in 3.13. Useful for operating on multiple repositories at once
```bash
pulpcore-manager repair-python-metadata --repositories [...]
```
* Repair endpoint added in 3.15, requires `modifyrepository` permission.
```bash
http POST {python_repository_href}/repair_metadata/
```
---
### Pull-through improvements
* Content downloaded through pull-through will now be auto added to an attached repository (pulp-python>=3.14 & pulpcore >=3.74)
```bash
pulp python distribution create --repository foo --remote foo ...
```
* Pull-through now respects the includes/excludes filters on the attached remote
```bash
pulp python remote update --includes '["numpy", "torch"]'
pulp python remote update --excludes '["scipy<1.12.0"]'
```
* Lots of bugfixes around merging the local and upstream packages together
---
### Synchronous upload & repository-version serving
* New sync upload endpoint to create content without a task (3.19)
```bash
http /pulp/api/v3/content/python/packages/upload/ file@twine-6.2.0.tar.gz
```
* You can now distribute from a repository-version without the use of a publication (3.21)
```bash
pulp python distribution update --repository-version $RV_PRN
```
---
### New PEP support
* Package core-metadata 2.3 & 2.4 support (PEP 685/639 - 3.17)
* JSON-based Simple API (PEP 691 - 3.20)
* Updated repository Simple API to 1.1 (PEP 700 - 3.21)
---
### JSON-based Simple API
* The new Simple API format makes it easy to see what is available in an index and process the files for a given package
* Got to use the new Accept header to see it: `application/vnd.pypi.simple.v1+json`
```bash!
http /pypi/foo/simple/ Accept:application/vnd.pypi.simple.v1+json
http /pypi/foo/simple/twine/ Accept:application/vnd.pypi.simple.v1+json
```
---
### PEPs in the Pipeline
- Attestation upload support (PEP 740)
- `alternate_locations` & `tracks` project metadata (PEP 708)
- Project status markers metadata (PEP 792)
- Serving of separate metadata file for wheels (PEP 658)
- Support of package core-metadata 2.5 (PEP 794)
---
### Attestation support
* https://docs.pypi.org/attestations/
* A new separate signature file that is uploaded with the package and served back as a Provenance object
```bash
pypi-attestations sign dist/*
twine upload --attestations dist/*
http /pypi/foo/integrity/mypackage/1.0.0/mypackage-1.0.0.tar.gz/provenance/
```
* The attestations uploaded to Pulp will be stored in a new PackageProvenance content type
```bash
http /pulp/api/v3/content/python/provenance/
```
---
### Project metadata (PEP 708 & 792)
* New project metadata available on a project's `/simple/` page.
```htmlembedded
<meta name="pypi:alternate-locations" content="https://pypi.org/simple/shelf-reader/">
<meta name="pypi:project-status" content="deprecated">
<meta name="pypi:project-status-reason" content="No longer maintained">
```
* Will be stored as new ProjectMetadata content type and be unique per repository + 'modifiable'.
```bash!
http /pulp/api/v3/content/python/project-metadata/
http $REPO_HREF/update_project/ \
project_name=pulpcore \
status=archived \
tracks='["https://pypi.org"]'
```
---
### Serving wheel's metadata files (PEP 658)
* Major quality of life improvement for using Pulp as an index
* Tools will be able to download the small metadata file to quickly determine if release file is the right one needed for install
* Will significantly speed up install times and reduce download/serving costs
---
### What's on the horizion for 2026?
* Syncing with just Simple index support [#669](https://github.com/pulp/pulp_python/issues/669)
* More fine-grain RBAC protections on package upload/downloads [#727](https://github.com/pulp/pulp_python/issues/727)
* `pyx` registry support? https://astral.sh/pyx
---
### Thank you!
Find us on disourse/matrix
- [pulpproject.org](https://pulpproject.org/help/community/get-involved/)
- https://discourse.pulpproject.org/
- #pulp and #pulp-python
{"title":"pulp-python 2025","breaks":true,"description":"View the slide with \"Slide Mode\".","contributors":"[{\"id\":\"4b1152d2-c7d3-42a7-ae07-9821ff05bb92\",\"add\":5052,\"del\":2354,\"latestUpdatedAt\":1764598179811}]"}