by Alex Becker

Distributing Python Code to Clients

One of the most common uses of PyDist is for consultants and vendors to distribute Python packages they maintain to their clients. By hosting packages for their clients on PyDist, consulting firms relieve their clients of the burden of hosting these packages themselves—and avoid any mistakes the client might make doing so. They can immediately make bug fixes and new releases available to their clients. They also get visibility into how often their clients are downloading their packages, and which versions are being used.

However, proper access control becomes important when you are maintaining different packages for different clients, and perhaps have packages which are private to your own organization. After gathering input from users, PyDist has launched two new access control features:

Both of these features are available when creating new keys in the API key dashboard:

API key interface with read-only key

This allows you to create one or more read-only API keys per client, and restrict those API keys to only the packages which that client should have access to. This works neatly with PyDist's Insights dashboard, which lets you track package downloads by API key—giving you visibility into how each of your clients are using your packages.

DevOps teams may also take advantage of these features to control code distribution within their organizations. Using read-only keys to install dependencies on developer machines, CI and build servers prevents accidental package uploading as well as mitigates the consequences of a credential leak. Whitelisting packages further mitigates the harm from such leaks, and can be used to enforce dependency boundaries between teams. The Insights dashboard can show you which packages—and which versions of them—are being used by each team.

If this doesn't work for your organization, or you have ideas to make it work better, please reach out at