Skip to content

[Chore] Publish penguin-utils 0.2.0 + penguin-limiter to public PyPI to unblock hash-pinning #51

Description

@PenguinzTech

Problem

Dependency hash-pinning (pip-compile --generate-hashes) cannot be completed because internal penguin-* packages are not resolvable from public PyPI at the pinned versions. Confirmed in a python:3.13-slim container:

  • penguin-utils: only 0.1.0 is public, but manager/backend/requirements.in requires >=0.2.0DistributionNotFound.
  • penguin-limiter: not published at all (referenced as a git URL in dns-server, and as an unsatisfiable PyPI dep >=0.1.0 in manager).

Both requirements.txt files carry the note "penguin- packages are locally installed (editable) and not yet published to PyPI"* — so the pinned requirements are not installable from public PyPI and cannot be hash-pinned. This also contradicts the standard that all penguin-libs packages are public (no private registry).

Public versions as of 2026-07-08: penguin-utils 0.1.0; penguin-dal 0.1.0/0.2.1/0.3.0; penguin-sal 0.1.0/0.2.0/0.2.1; penguin-aaa 0.1.0; penguin-licensing 0.1.0; penguin-limiter none.

Fix

  1. Publish penguin-utils 0.2.0 and penguin-limiter to public PyPI.
  2. Then hash-pin both services: pip-compile --generate-hashes on requirements.in (run on Python 3.13, e.g. a python:3.13 container). If any dep must remain editable/git, split hashable third-party deps from the editable penguin-* set.
  3. Switch Docker/CI installs to pip install --require-hashes -r requirements.txt.

Context

Surfaced during the enterprise-hardening consolidation (PR #50). Not a deploy blocker (Docker images build on 3.13 via editable installs), but blocks reproducible, hash-verified builds.

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions