Hello,

I am encountering the same issue as in #3

$ devpi --version
devpi-client 7.0.2

current devpi server: http://localhost:3141
    devpi-constrained 2.0.1
    devpi-server 6.9.2
    devpi-web 4.2.1

http://localhost:3141/root/dev:
  type=stage
  bases=root/pypi-constrained
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  mirror_whitelist=
  mirror_whitelist_inheritance=intersection

http://localhost:3141/root/pypi-constrained:
  type=constrained
  bases=root/pypi
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  constraints=virtualenv==v20.24.5
  mirror_whitelist=
  mirror_whitelist_inheritance=intersection

http://localhost:3141/root/pypi:
  type=mirror
  volatile=False
  mirror_url=https://pypi.org/simple/
  mirror_web_url_fmt=https://pypi.org/project/{name}/
  title=PyPI

Unfortunately:

pip install -i http://localhost:3141/root/pypi-constrained --no-cache-dir virtualenv
--> install virtualenv 20.24.5

pip install -i http://localhost:3141/root/dev --no-cache-dir virtualenv
--> install virtualenv 20.24.6

From my understanding this issue has been resolved already and I see the tests are passing, is there something I misunderstood ?

Many thanks

Hello, just found out about this project. I'm wondering if it'd be possible to whitelist artifacts by hash instead of by version number. This would be a neat boost to the security benefits offered by devpi.

I think there might be an issue with the logic in get_simple_links_filter_iter

For complicated links such as

zipp-1.1.0-py2.py3-none-any.whl
green-0.4.0-py2.5-win32.egg

it looks like the version isn't being parsed correctly on line 91 (version = '-'.join(parts[index:])).

Once the project name is found, shouldn't the version just be the next part in the list? instead of joining the remaining items in the list

Hello,

I wanted to test devpi-constrained for a while as our development team sometimes has difficulties keeping up with newer releases of our stack and it is not always easy to block a package to a certain version as it is used in a lot of repositories.

This is the case with tox and the latest release is causing trouble to our CI/CD pipeline as reported in tox-dev/tox#2702.

Now, I rebuilt our Docker image with devpi-constrained and playing around with it, it does not seem to filter packages when it is used as the bases in another index.

$ devpi index -c root/pypi-constrained type=constrained bases=root/pypi
[...]
$ devpi index  root/pypi-constrained constraints="tox<4"
/root/pypi-constrained constraints=tox<4
https://pypi.example.com/root/pypi-constrained?no_projects=:
  type=constrained
  bases=root/pypi
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  constraints=tox<4
  mirror_whitelist=
  mirror_whitelist_inheritance=intersection
  title=PyPI constrained mirror
$ devpi index -c root/dev-team
https://pypi.example.com/root/dev-team?no_projects=:
  type=stage
  bases=root/pypi-constrained
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  mirror_whitelist=
  mirror_whitelist_inheritance=intersection
$ devpi list --index root/pypi-constrained --all tox |head -n3
*redirected: https://pypi.example.com/root/pypi-constrained/tox
https://pypi.example.com/root/pypi/+f/f52/ca66eae115fcf/tox-3.27.1-py2.py3-none-any.whl
https://pypi.example.com/root/pypi/+f/b2a/920e35a668cc0/tox-3.27.1.tar.gz
$ devpi list --index root/dev-team --all tox |head -n3
*redirected: https://pypi.example.com/root/dev-team/tox
https://pypi.example.com/root/pypi/+f/952/1447370a37527/tox-4.0.11-py3-none-any.whl
https://pypi.example.com/root/pypi/+f/695/fc21a276e6a4f/tox-4.0.11.tar.gz

Is this the intended behavior?
Is my expectation that dev-team should get filtered results wrong?