Introduction

Usually, Python projects are installed with pip install -r requirements.txt, with a frozen requirements.txt file. However, alternative build systems (such as Pants, Pex or hand-coded Dockerfiles) sometimes specify “floaters”: packages that allow more than one version number (for example, “any greater than 1.2”). In addition, if requirements.txt is missing a requirement, most of these tools will recover gracefully by getting the highest compatible version.

While these are features sometimes, they undercut the concept of a “deterministic build” or “hermetic build”: a build whose output depend only on the inputs, and not on the state of the world, such as what packages have been uploaded to PyPI.

ReqPI is a PyPI-compatible server which will generate ad-hoc end-points where “pre-commitment” is made to which packages will be requested. It will reject requests for any other packages, and will only offer the versions specified in a requirements.txt file. All Python package-fetching systems allow specifying an alternate URL for package source.