2.6.3 (2016-05-13)

  • update devpi-common requirement, so devpi-client can be installed in the same virtualenv as devpi-server 4.0.0.

2.6.2 (2016-04-28)

  • devpi upload failed to use basic authentication and client certificate information.

2.6.1 (2016-04-27)

  • fix issue340: basic authentication with devpi use didn’t work anymore.

2.6.0 (2016-04-22)

  • switching to another server with devpi use now reuses an existing authentication token as well as previously set basic auth and client cert.
  • basic authentication is now stored at the devpi-server root instead of the domain root, so you can have more than one devpi-server on different paths with different basic auth.
  • fix issue318: devpi test --index now accepts a URL, so one can test a package from another server without having to run devpi use first.

2.5.0 (2016-02-08)

  • the user command now behaves slightly more like index to show current user settings and modify them.
  • fix issue309: print server versions with devpi --version if available. This is only supported on Python 3.x because of shortcomings in older argparse versions for Python 2.x.
  • fix issue310: with –set-cfg the index setting in the [search] section would be set multiple times.
  • fix getjson to work when no index but a server is selected
  • allow full urls for getjson
  • “devpi quickstart” is not documented anymore and will be removed in a later release.

2.4.1 (2016-02-01)

  • fix issue308: properly handle index reconfiguration in the client API. thanks to Jacob Geiger for the report and an initial PR.

2.4.0 (2016-01-29)

  • fix issue291: transfer file modes with vcs exports. Thanks Sergey Vasilyev for the report.
  • new option “–index” for “install”, “list”, “push”, “remove”, “upload” and “test” which allows to use a different than the current index without using “devpi use” before
  • set index in [search] section of pip.cfg when writing cfgs, to support pip search

2.3.2 (2015-11-11)

  • fix git submodules for devpi upload. .git is a file not a folder for submodules. Before this fix the repository which contains the submodule was found instead, which caused a failure, because the files aren’t tracked there.
  • new option “devpi upload –setupdir-only” which will only vcs-export the directory containing You can also set “setupdirs-only = 1” in the “[devpi:upload]” section of setup.cfg for the same effect. Thanks Chad Wagner for the PR.

2.3.1 (2015-09-10)

  • fix issue259: print server errors in client

2.3.0 (2015-07-09)

  • fix issue247: possible password leakage to log in devpi-client
  • new experimental “-d|–detox” option to run tests via the “detox” distributed testing tool instead of “tox” which runs test environments one by one.
  • address issue246: make sure we use vcs-export also for building docs (and respect –no-vcs for all building activity)
  • address issue246: copy VCS repo dir to temporary upload dir to help with setuptools_scm. Warn if VCS other than hg/git are used because we don’t copy the repo in that case for now and thus cause incompatibility with setuptools_scm.
  • (new,experimental) read a “[devpi:upload]” section from a setup.cfg file with a “formats” setting that will be taken if no “–formats” option is specified to “devpi upload”. This allows to specify the default artefacts that should be created along with a project’s setup.cfg file. Also you can use a no-vcs = True setting to induce the --no-vcs option.

2.2.0 (2015-05-13)

  • improve internal testing mechanics
  • fix regression for “devpi list -f” output which would fail when trying to present failures with recent devpi-server versions/tox outputs.
  • fix issue222: fix help string
  • fix issue190: introduce support for testing universal wheels (platform/interpreter specific wheels are not supported yet because they require tox support). Testing a wheel requires that there also is an sdist next to it so that tox.ini and the tests can be discovered from it. Note that this means your tox testrun setup must be able to run tests against an installed version of the package, not the sdist-inplace version. If your tests reside in a subfolder that has no this should usually be the case (at least with pytest).
  • add experimental “refresh” command to invalidate the pypi release list cache of packages.
  • show index configuration settings added by plugins in devpi-server >= 2.2.0.

2.1.0 (2015-03-16)

  • fix issue199: “devpi upload” and “devpi test” can now handle packages with dashes in their name.
  • change: the following fixes change behavior if used in scripts
  • fix issue174: ask for confirmation when deleting an index or user.
  • fix issue156 and issue199: “devpi push” now uses “pkgname==version” like “list” and “test”. This also fixes usage with packages containing dashes in their name.

2.0.5 (2015-02-24)

  • fix issue209: argument default handling changed in argparse in Python 2.7.9.
  • fix issue163: use PIP_CONFIG_FILE environment variable if set.
  • fix issue191: provide return code !=0 for failures during push


  • fix issue181: provide Return code != 0 for failed upload POST requests.
  • fix “devpi” invocation or py3, it was tracebacking instead of showing the valid subcommands.


  • use default “” when no repository is set in .pypirc see
  • fix issue152: when –upload-docs is given, make sure to first register and upload the release file before attempting to upload docs (the latter requires prior registration)
  • fix issue75: add info about basic auth to “url” option help of “devpi use”.
  • fix issue154: fix handling of vcs-exporting when unicode filenames are present. This is done by striking our own code in favor of Marius Gedminas’ vcs exporting functions from his check-manifest project which devpi-client now depends on. This also adds in support for svn and bazaar in addition to the already supported git/hg.
  • devpi list: if a tox result does not contain basic information (probably a bug in tox) show a red error instead of crashing out with a traceback.
  • fix issue157: filtering of tox results started with the oldest ones and didn’t show newer results if the host, platform and environment were the same.


  • fix issue135: fix port mismatch for basic auth if port isn’t explicitly given on https urls.
  • refs issue75: pass on basic auth info into pip.cfg and co.
  • fix issue144: fix interaction with requests-2.4 by depending on devpi-common’s new support for enumerating possible Errors
  • keep basic authentication info when listing indices or switching index by using path only instead of full URL. Thanks Trevor Joynson
  • only write new client config if it actually changed and pretty print it. Thanks Jürgen Hermann for initial PR and ideas.


  • fix a test to expect a 403 instead of a 401 from devpi server from unauthorized access
  • fix error message on API version client/server mismatch
  • fix issue124: package name url matching for the “devpi test” command


  • Compatibility with devpi-server >= 2.0.0
  • introduce “patchjson PATH JSONFILE” command which allows to send a request containing a json data structure to a specified path
  • fix issue85: “devpi list -v” now shows package names with latest versions.
  • implement issue75: We use the custom X-Devpi-Auth header for authentication now, instead of overwriting the Authentication header.
  • added experimental support for basic authentication by parsing user and password from the url given to the “devpi use” command.
  • issue74: added experimental support for client side certificates via “devpi use –client-cert”


  • depend on pkginfo>1.2b1 for wheel metadata reading support, remove twine dependency. Thanks Tres Seaver.
  • new: also write buildout configuration file with –set-cfg. Thanks Christian Ullrich for the PR.


  • fix “python -m devpi” invocation. Thanks Sebastian Ralph.
  • fix issue66: “devpi use hpk/dev” can now switch between URLs if user/index is mounted on a subpath.
  • fix issue71: allow pip/setuptools like requirements specs with the test subcommand, e.g. “devpi test ‘pkg>=1.0’”. Thanks Sebastian Rahlf for the PR.


  • “devpi list” and “devpi remove” now accept a pip/setuptools style requirement like “pkg>=1.0” instead of the former for limited “pkg-1.0”.
  • make devpi-client fully work with python3.3 and fix test bugs
  • use system http/s proxy settings from devpi-server. fixes issue58.
  • add “devpi test -c tox.ini package” to use a particular (external) tox.ini for running tox with the unpackaged package. also add “–fallback-ini tox.ini” option which will only be used if the download package has no tox.ini.
  • new “devpi use –set-cfg” option to set pip/easy_install configuration files when changing indexes. Also new “devpi use –always-set-cfg=yes” option if you want to imply “–set-cfg” on future “devpi use” invocations and “devpi use –always-st-cfg=no” to disable this implication.
  • support git and hg for exporting all versioned files of a directory before performing the build step when uploading
  • improve how upload works: is only used for building docs and release files but not for the remote upload part. This gets rid of a number of hacks that were done trying to get the Python shipped “distutils” to pick the proper devpi index and allows proper SSL verification on Python2.6 onwards.
  • upload: show response when uploading documentation failed
  • upload: allow to specify archive files as positional arguments (both files and directories can be specified but the latter additionally require a –upload-dirs option)
  • fix issue54: upload now works on wheel files as well. As pkginfo does not support wheels directly, we use the twine project which extends pkginfo for now.
  • only show highest version in “devpi list PROJECT” output, unless “–all” is specified.
  • on upload release files: skip rather than guess packages which contain no metadata
  • strike BeautifulSoup dependency and re-use vendored pip-link parser
  • use types/url/metadata/validation functionality of new depdency devpi_common
  • internal cleanup wrt pytest-flakes discoveries
  • remove “archive” dependency in favour of a small implementation in devpi_common
  • make devpi-client use a proper UserAgent string


  • detect “X-DEVPI-API-VERSION” header and check for compatibility. devpi-client currently supports version “1” and warns if no version is known (defaulting to “1”).
  • getjson now prints http reply headers if “-v|–verbose” was supplied.
  • fix issue52: add “–no-vcs” option to force “devpi upload” to not vcs-export files before executing build/upload
  • fix issue50: introduce “–toxargs” to “devpi test” invocations in order to add arbitrary arguments to tox.
  • fix issue43: set PIP_PRE environment variable when executing “devpi install ...” so that the behaviour between pip < 1.4 and >= 1.4 is normalized to always install development versions.
  • fix issue47: set PIP_USE_WHEEL with “devpi install ...” so that it will automatically pick up wheel files if pip>1.4 is used.
  • fix issue42: allow to set empty bases for an index, so that it doesn’t inherit anything.
  • fix issue44: “use -l” doesn’t break when a user has no index
  • devpi test now invokes tox in-process (by importing tox) rather than a subprocess.


  • removed server subcommand and options for controling background devpi-server processes to become options of devpi-server itself.

  • fix issue14: lookup “python” from PATH for upload/packaging activities instead of using “sys.executable” which comes from the interpreter executing the “devpi” script. This allows to alias “devpi” to come from a virtualenv which is separate from the one used to perform packaging.

  • fix issue35: “devpi index” cleanly errors out if no index is specified or in use.

  • remember authentication on a per-root basis and cleanup “devpi use” interactions. This makes switching between multiple devpi instances more seemless.

  • fix issue17: better reporting when “devpi use” does not operate on valid URL

  • test result upload and access: - “devpi test” invokes “tox –result-json ...” and uploads

    the test result log to devpi-server.

    • “devpi list [-f] PKG” shows test result information.
  • add “uploadtrigger_jenkins” configuration option through “devpi index”.

  • fix issue19: devpi use now memorizes –venv setting properly. Thanks Laurent.

  • fix issue16: show files from shadowed versions

  • initial wheel support: “devpi upload –format=bdist_wheel” now uploads a wheel format file to the index. (XXX “devpi install” will trigger pip commands with option “–use-wheels”.)

  • fix issue15: docs will now be built via “ build_sphinx” using a internal build dir so that the upload succeeds if would otherwise specify a non-standard location.

  • implement and refine “devpi push” command. It now accepts two forms “user/name” for specifying an internal devpi index and “pypi:REPONAME” for specifying a repository which must be defined in a .pypirc file.

  • remove spurious pdb.set_trace() in devpi install command when no pip can be found.

  • show and allow to set “acl_upload” for uploading priviliges

  • add longer descriptions to each sub command, shown with “devpi COMMAND -h”.

  • removed pytestplugin support for now (pytest reporting directly to devpi-server)


  • fix uploading by adding’s dir to sys.path: files that import modules/packages for obtaining versions etc. now work. Thanks jbasko.
  • fix automatic devpi-server startup on python26/windows


  • new “devpi list” command to show projects of the in-use index or all release files of a project with “devpi list PROJECTNAME”.
  • new “devpi remove” command to remove releases from the current index, including any contained release files
  • added “argcomplete” support for tab completion on options (thanks to Anthon van der Neut)


  • introduce “devpi upload –from-dir” for uploading archives in bulk mode, thanks to Anthon van der Neut for helping with this! (resolved issue5)
  • improve automatic server handling via “devpi use”
  • for “devpi server” you now need to specify “–log” to see log lines
  • make “devpi use” also show base indexes by default
  • fix issue4: auto-server data stored in non-dot dir
  • renamed some –longoptions to –long-options (thanks @hynek and others for pushing)


  • refined “python” calls from devpi upload with proper __file__ attributes. Thanks Andi Albrecht.
  • implemented new “devpi push” command for pushing out releases
  • improved error handling for devpi upload
  • fix logoff if not logged in
  • don’t use –force-reinstall when using pip

0.9 initial release


4.0.0 (2016-05-12)


Please note that devpi-server 4.0.0 is a bug fix/compatibility release as it only changes project name normalization compared to 3.1.x. The internal use of the normalization requires an export/import cycle, which is the reason for the major version increase. There are no other big changes and so everyone who used devpi-server 3.x.y should be fine just using 4.0.0. It’s also fine to export from 2.6.x and import with 4.0.0.

  • require devpi-common 3.0.0 which changes the normalization of project names.
  • allow import of exported data from devpi-server 3.1.2 with inconsistently normalized project names.

3.1.2 (2016-05-12)

  • fix issue336: the mirror_whitelist setting got lost on import.
  • allow export if a package with dotted name was uploaded while devpi-common 2.0.9 was installed. The resulting export will only be importable with devpi-server 4.x. It will fail to import in 3.x with a MissingRegistration error.

3.1.1 (2016-05-11)

  • fix import of releases for packages with dots in their name after PEP-503 fix in devpi-common 2.0.9.

3.1.0 (2016-04-22)

  • fix issue208: Uncached mirrored files (PyPI) are streamed to the client while downloading. This prevents timeouts in pip etc. The files are only cached if there were no errors and in case there is a checksum, the content matches. Downloads on replicas won’t wait until they are in sync, but pass on what they get from the master.
  • fix issue229: A replica talking to a master behind nginx decoded gzipped data, but left the Content-Encoding header unchanged. Now data is passed on unchanged. Thanks to Chad Wagner for the fix.
  • fix issue317: When there is no data in the directory specified via --serverdir during export, then the process aborts instead of creating and exporting an empty database.
  • fix issue210: When an external user authenticated by a plugin tries to create an index the required user object is now created automatically if the permissions allow it.
  • address issue267: We unconditionally clean up the transaction if there was an exception in rollback or commit. This prevents issues in logging and a possible server lockup if at some point all threads contain a failed transaction object.
  • fix issue321: All exceptions in the replica and event processing threads are caught now and can’t stop the threads anymore.
  • fix issue338: Handle trailing slash in project listing for mirror indexes.
  • Added checks on the index dependency tree built from bases during import.
  • Every project is now imported together with all it’s release files on it’s own serial. Before the release files each got their own serial. This reduces the number of serials generated, especially when there are many projects and releases. That in turn improves import, as well as replication and event handling times (in particular devpi-web indexing).

3.0.2 (2016-03-03)

  • fix setting of mirror_whitelist.
  • normalize names when setting mirror_whitelist.
  • fix handling of 404 in mirror indexes on replicas.
  • include version in file paths in exported data to avoid possible name conflicts.

3.0.1 (2016-02-12)

  • fix importing of uploaded files. Only the last index from exported data was processed.

3.0.0 (2016-02-12)

  • dropped support for python2.6
  • block most ascii symbols for user and index names except -.@_. unicode characters are fine.
  • add --no-root-pypi option which prevents the creation of the root/pypi mirror instance on first startup.
  • added optional title and description options to users and indexes.
  • new indexes have no bases by default anymore. If you want to be able to install pypi packages, then you have to explicitly add root/pypi to the bases option of your index.
  • added optional custom_data option to users.
  • generalized mirroring to allow adding mirror indexes other than only PyPI
  • renamed pypi_whitelist to mirror_whitelist
  • speed up simple-page serving for private indexes. A private index with 200 release files should now be some 5 times faster.
  • internally use normalized project names everywhere, simplifying code and slightly speeding up some operations.
  • change {name} in route_urls to {project} to disambiguate. This is potentially incompatible for plugins which have registered on existing route_urls.
  • use “project” variable naming consistently in APIs
  • drop calling of devpi_pypi_initial hook in favor of the new “devpi_mirror_initialnames(stage, projectnames)” hook which is called when a mirror is initialized.
  • introduce new “devpiserver_stage_created(stage)” hook which is called for each index which is created.
  • simplify and unify internal mirroring code some more with “normal” stage handling.
  • don’t persist the list of mirrored project names anymore but rely on a per-process RAM cache and the fact that neither the UI nor pip/easy_install typically need the projectnames list, anyway.
  • introduce new “devpiserver_storage_backend” hook which allows plugins to provide custom storage backends. When there is more than one backend available, the “–storage” option becomes required for startup.
  • introduce new “–requests-only” option to start devpi-server in “worker” mode. It can be used both for master and replica sites. It starts devpi-server without event processing and replication threads and thus depends on respective “main” instances (those not using “–request-only”) to perform event and hook processing. Each worker instance needs to share the filesystem with a main instance. Worker instances can not serve the “/+status” URL which must always be routed to the main instance.

2.6.1 (2016-03-03)

  • add more info when importing data. Thanks Marc Abramowitz for the PR.
  • include version in file paths in exported data to avoid possible name conflicts.

2.6.0 (2016-01-29)

  • fix issue262: new experimental option –offline-mode will prevent devpi-server from even trying to perform network requests and it also strip all non-local release files from the simple index. Thanks Daniel Panteleit for the PR.

  • fix issue304: mark devpi-server versions older than 2.2.x as incompatible and requiring an import/export cycle.

  • fix issue296: try to fetch files from master again when requested, if there were checksum errors during replication.

  • if a user can’t be found during authentication (with upload for example), then the http return code is now 401 instead of 404.

  • fix issue293: push from root/pypi to another index is now supported

  • fix issue265: ignore HTTP(S) proxies when checking if the server is

    already running.

  • Add content_type route predicate for use by plugins.

2.5.3 (2015-11-23)

  • fix a bug that resulted from accessing a non-existing project on root/pypi where upstream does not contain the X-PYPI-LAST-SERIAL header usually. Thanks Matthias Bach.

2.5.2 (2015-11-20)

  • recognize “pex” for redirections of user/index/NAME to user/index/+simple/NAME just like we do with pip/setuptools.
  • fix py2 incompatibility introduced with 2.5.1 where we used a unicode header and pyramid only likes str-headers.

2.5.1 (2015-11-20)

  • fix issue289: fix simple page serving on replicas

2.5.0 (2015-11-19)

  • fix a regression of 2.3.0 which would cause many write-transactions for mirrored simple-page entries that didn’t change. Previous to the fix, accesses to mirrored simple pages will result in a new write-transaction every 30 minutes if the page is accessed which is likely on a somewhat busy site. If you running with replicas it is recommended to do an an export/import cycle to remove all the unneccessary writes that were produced since devpi-server-2.3.0. They delay the setup of new replicas considerably.
  • add info about pypi_whitelist on simple page when root/pypi is blocked for a project.
  • replica simple-page serving will not unneccessarily wait for new simple-page entries to arrive at the replication side if the master does not return any changes in the initial simple-page request. Previously a replica would wait for the replication-thread to catch up even if no links changed.
  • fix to work on py34 and with LANG=”C” environments. Thanks Jason R. Coombs.
  • fix issue284: allow users who are listed in acl_upload to delete packages

2.4.0 (2015-11-11)

  • NOTE: devpi-server-2.4 is compatible to data from devpi-server-2.3 but not the other way round. Once you run devpi-server-2.4 you can not go back. It’s always a good idea to make a backup before trying a new version :)
  • NOTE: if you use --logger-cfg with .yaml files you will need to install pyyaml yourself as devpi-server-2.4 dropped it as a direct dependency as it does not install for win32/python3.5 and is not needed for devpi-server operations except for logging configuration. Specifying a *.json file always works.
  • add timeout to replica requests
  • fix issue275: improve error message when a serverdir exists but has no version
  • improve testing mechanics and name normalization related to storing doczips
  • refine keyfs to provide lazy deep readonly-views for dict/set/list/tuple types by default. This introduces safety because users (including plugins) of keyfs-values can only write/modify a value by explicitly getting it with readonly=False (thereby deep copying it) and setting it with the transaction. It also allows to avoid unnecessary copy-operations when just reading values.
  • fix issue283: pypi cache didn’t work for replicas.
  • performance improvements for simple pages with lots of releases. this also changed the db layout of the caching from mirrors but will seamlessly work on older data, see NOTE at top.
  • add “–profile-requests=NUM” option which turns on per-request profiling and will print out after NUM requests are executed and then restart profiling.
  • fix tests for pypy. We officially support pypy now.

2.3.1 (2015-09-14)

  • fix issue272: require devpi-common >= 2.0.6
  • recognize newly registered PyPI projects, now that we don’t watch the PyPI changelog anymore

2.3.0 (2015-09-10)

  • switched to semantic versioning. Only major revisions will ever require an export/import cycle.
  • fix issue260: Log identical upload message on level “info”
  • Log upload trigger message on level “warn”
  • The PyPI changelog isn’t watched for changes anymore. Instead we cache release data for 30 minutes, this can be adjusted with the --mirror-cache-expiry option.
  • fix issue251: Require and validate the “X-DEVPI-SERIAL” from master in replica thread
  • fix issue258: fix FileReplicationError representation for proper logging
  • fix issue256: if a project removes all releases from pypi or the project is deleted on pypi, we get a 404 back. In that case we now return an empty list of releases instead of returning an UpstreamError.
  • Change nginx template to serve HEAD in addition to GET requests of files directly instead of proxying to devpi-server
  • make keyfs cache size configurable via “–keyfs-cache-size” option and increase the default size to improve performance for installations with many writes

2.2.2 (2015-07-09)

  • make replica thread more robust by catching more exceptions
  • Remove duplicates in plugin version info
  • track timestamps for event processing and replication and expose in /+status
  • implement devpiweb_get_status_info hook for devpi-web >= 2.4.0 status messages
  • UPGRADE NOTE: if devpi-web is installed, you have to request application/json for /+status, or you might get a html page.
  • address issue246: refuse uploading release files if they do not contain the version that was transferred with the metadata of the upload request.
  • fix issue248: prevent change of index type after creation

2.2.1 (2015-05-20)

  • fix issue237: fix wrong initial replica setup which would prevent initialization. Thanks Stephan Erb.

2.2.0 (2015-05-13)

  • add “–no-events” option to postpone running events after import to server start
  • add new devpiserver_get_credentials plugin hook to extract credentials from request
  • fix issue216: use sha256 instead of md5 checksums for serving own files (BACKWARD INCOMPATIBLE: needs export/import)
  • parse arbitrary checksums from PyPI in preparation for a pending change on which will see it serving sha256 checksums only.
  • fix debug logging to actually show debug logs (logging was not properly reconfigured)
  • make logging fully configurable via a config yaml/json (e.g., log to an external syslog server)
  • fix issue221: avoid looking at file entries who are not part of a project (because they got deleted)
  • fix issue217: systematically avoid using bytes in persisted dictionaries to avoid any py2/py3 bytes/unicode issue.
  • show actual instead of prospective replica serial in master /+status page
  • fix issue165: make off-line serving more robust when we know there is a change but pypi is currently not reachable (just serve the old cached links and issue an error to the logs)
  • fix flaky devpi-server “–start” startup detection which would previously assume success if another server was already running on the address/port we want to run on.
  • fix importing of indexes with custom_data and importing of documentation which follows uncommon package naming
  • fix issue228: when a stage is deleted don’t veriy if it was root/pypi because you cannot delete root/pypi anyway.
  • fix issue232: pypi-refresh now works better for projects which have have a non-nomalized projectname, and also works better across replication.
  • add new devpiserver_indexconfig_defaults plugin hook to add key names for settings in the index configuration.
  • add new devpiserver_on_upload_sync plugin hook and use it to move the Jenkins triggering to the devpi-jenkins plugin.
  • rename hooks: devpiserver_auth_credentials to devpiserver_get_credentials and devpiserver_run_commands to devpiserver_cmdline_run.
  • add --hard-links option to use hard links for releases and doc zips during export.
  • speed up detecting replica/master mismatches and let a replica instantly die if it talks to a master that doesn’t match the master id the replica is operating for.

2.1.5 (2015-03-16)

  • fix devpi-ldap issue17: the push command directly used the username instead of using a general permission check, that caused groups in acl_upload to not be honored.
  • fix issue171: “devpi push” of an existing package fails on non volatile index and overwrites on volatile.
  • before devpi-server 2.1.5 it was possible to upload multiple documentation zip files for the same package version if the filename differed in case, this broke export and replication of server state and the documentation view. Now the newest upload will be used and older ones ignored.
  • fix issue217: try harder to avoid using “bytes” in python2 to allow py2/py3 master/replica setups and generally have more type-uniform bytes.


  • fix issue214: the whitelisting code stopped inheritance too early.
  • fix regression: easy_install went to the full simple project list for a non existing project.
  • When uploading an existing version to a non-volatile index, it’s now a no op instead of an error if the content is identical. If the content is different, it’s still an error.
  • Uploading documentation to non-volatile indexes is now protected the same way as packages.
  • added code to allow filtering on packages with stable version numbers.
  • Change nginx template to set the X-outside-url header based on the requested URL. This makes it possible to connect by IP address when the server name is not in DNS.


  • fix replication when files with identical name are later changed. This can happen with toxresults. These kind of errors are tracked and when a later changeset fixes them, the error is removed. The errors are exposed through the /+status view of replica servers.
  • fix issue179: protect deletion of versions
  • fix issue176: better allow replicas to export their state by removing an obsolete way of normalizing project names upon export (nowadays, project names should be normalized already and normalization is bound to change/be refined further for devpi-server-2.2)
  • fix replication when a “volatile” file like egg-links from repositories are involved: a master will not re-fetch such files but rather use the existing one if the request comes from a replica.


  • fix issue172: avoid traceback when user/index/name/version is accessed.
  • fix issue170: ensure that we parse the prospective pip-6.0 user agent string properly so that using the username/index url works with pip. Thanks Donald Stufft and Florian Schulze.
  • fix issue158: redirect to normalized projectname for all GET views.
  • fix issue169: change /+status to expose “event_serial” as “the last event serial that was processed”. document “serial” and “event-serial” and also refine internals wrt to “event-serial” so that it means the “last serial for which events have been processed”


  • fix replication issue reported by a customer: if a replica lags behind a master and a file was created and then deleted meanwhile, the replica would get stuck with a FileReplicationError. We now let the master report a 410 GONE code so that the replica knows it can safely proceed because the file was deleted later anyways.
  • generate “systemd” configuration example when “–gen-config” is issued. Thanks Pavel Sedlak.
  • fix issue109: fix relative URLs in simple index pages and 404 errors on uploading toxresults and downloading files when serving under an outside URL with a sub path. Thanks to Joe Holloway for detailed infos.
  • drop limitation on maximum documentation size. Body size is now only controlled by frontends such as nginx. Thanks Stephan Erb.
  • use newer version of virtualenv for jenkins trigger. Thank brunsgaard.


  • make replication more precise: if a file cannot be replicated, fail with an error log and try again in a few seconds. This helps to maintain a consistent replica and discover the potential remaining bugs in the replication code.
  • add who/when metadata to release files, doczips and test results and preserve it during push operations so that any such file provides some history which can be visualized via the web-plugin. The metadata is also exposed via the json API (/USER/INDEX/PROJECTNAME[/VERSION])
  • fix issue113: provide json status information at /+status including roles and replica polling status, UUIDs of the repository. See new server status docs for more info.
  • support for external authentication plugins: new devpiserver_auth_user hook which plugins can implement for user/password validation and for providing group membership.
  • support groups for acl_upload via the ”:GROUPNAME” syntax. This requires an external authentication plugin that provides group information.
  • on replicas return auth status for “+api” requests by relaying to the master instead of using own key.
  • add “–restrict-modify” option to specify users/groups which can create, delete and modify users and indices.
  • make master/replica configuration more permanent and a bit safer against accidental errors: introduce “–role=auto” option, defaulting to determine the role from a previous invocation or the presence of the “–master-url” option if there was no previous invocation. Also verify that a replica talks to the same master UUID as with previous requests.
  • replaced hack from nginx template which abused “try_files” in “location /” with the recommended “error_page”/”return” combo. Thanks Jürgen Hermann
  • change command line option “–master” to “–master-url”
  • fix issue97: remove already deprecated –upgrade option in favor of just using –export/–import
  • actually store UTC in last_modified attribute of release files instead of the local time disguising as UTC. preserve last_modified when pushing a release.
  • fix exception when a static resource can’t be found.
  • address issue152: return a proper 400 “not registered” message instead of 500 when a doczip is uploaded without prior registration.
  • add OSX/launchd example configuration when “–gen-config” is issued. thanks Sean Fisk.
  • fix replica proxying: don’t pass original host header when relaying a modifying request from replica to master.
  • fix export error when a private project doesnt exist on pypi
  • fix pushing of a release when it contains multiple tox results.
  • fix “refresh” button on simple pages on replica sites
  • fix an internal link code issue possibly affecting strangeness or exceptions with test result links
  • be more tolerant when different indexes have different project names all mapping to the same canonical project name.
  • fix issue161: allow “{pkgversion}” to be part of a jenkins url


  • log version information of all found plugins on startup.


  • fix issue145: restrict devpi_common dependency so that a future “pip install ‘devpi-server<2.0’” has a higher chance of working.
  • fix issue144: fix interaction with requests-2.4.0 – use new devpi-common-offered “Errors” enumeration to check for exceptions.
  • add ‘*’ as possible option for pypi_whitelist to whitelist all packages of an index at once. Refs issue110
  • outside url now works with paths, so you can host a devpi server on something like
  • fix issue84: during upload: if a previously registered name diverges from a freshly submitted one take the previously registered one. This can happen when uploading wheels and in other situations.
  • fix issue132: during exporting use whatever name comes with the versiondata instead of trying too hard to assert consistency of different versions.
  • fix issue130: fix deletion of users so that is properly deletes all indexes and projects and files on each index.


  • fix issue139: adapt to a recent change in pypi which now serves under URLs using normalized project names instead of the “real” registered name Thanks Timothy Allen and others for sorting this out.
  • fix issue129: fix __init__ provided version and add a test that it always matches the one which pkg_resources sees (which gets it effectively from


  • fix issue128: a basic auth challenge needs to be sent back on submit when no authorization headers are sent with the post request.


  • fix issue120: link to “upgrade” section from main index page.
  • preserve http reason string for submit through replica proxying
  • proper error message when “devpi push X” uses an X that comes from a base index or is not existent
  • fix issue121: depend on py-1.4.23 to fix python3.4 compatibility for a venusian/py34/py interaction import oddity.
  • fix issue126: handle deletion of pypi project cache entries correctly (i.e. ones that are triggered by “refresh” on simple page).
  • Add special handling of ”:ANONYMOUS:” user in acl_upload to allow anonymous submit.
  • fix nginx template so that when used in a replica setting the master always answers HEAD requests without nginx short-cirtcuiting it.
  • increase internal cache size to improve performance when many indexes and projects are served.


  • fix regression which prevented the basic authentication for the setuptools upload/register commands to fail. Thanks Florian Schulze.
  • fix issue106: better error messages on upload failures. And better allow auto-registration when uploading release files.


  • major revamp of the internal core of devpi to support replication (both master and server code), a plugin architecture with the new devpi-web plugin providing a new web interface. Mostly done by Florian Schulze and Holger Krekel.
  • moved all html views except for files and the simple index to new devpi-web package. Thanks to Florian Schulze for the PR.
  • implement issue103: By default if you register a package in an index, no lookup on pypi is made for that package anymore. You have to add the package to the pypi_whitelist of the index to let pypi releases be mixed in. This is to prevent malicious uploads on pypi to overwrite private packages.
  • change json api to get rid of the different meaning of URLs with and without a trailing slash. “/{user}/” is now the same as “/user” and always lists indices. “/{user}/{index}” and “/{user}/{index}/ now always lists the index config and the contained per-stage projects (not inherited ones).
  • switch the wsgi app to use Pyramid and waitress for WSGI serving.
  • don’t refresh releaselinks from the mirroring thread but rather rely on the next access to do it.
  • fix issue98: deleting a project config or a project version now accepts names which map to the canonical name of a project.
  • fix issue82 and fix issue81: root/pypi now provides the same attributes as normal indexes and results in a 409 MethodNotAllowed http code when trying to change the config.
  • fix issue91: make serverport available as well. Thanks David Bonner.
  • fix issue100: support large file uploads. As we switched away from bottle to pyramid, the body-size limit is gone.
  • fix issue99: make “devpi-server –start” etc work when devpi-server is not itself on PATH (by using sys.argv[0] for finding the binary)
  • fix issue84: uploading of wheels where the registered package name has an underscore works despite a wheel’s metadata carrying hyphens instead. At submit-file time we now lookup the registered name and use that instead of assuming the one coming with the wheel is the correct one.
  • add refresh button on root/pypi project simple index pages which clears the internal cache to force a refetch from PyPI.
  • implement issue75: We use the custom X-Devpi-Auth header for authentication now, instead of overwriting the Authentication header.
  • added experimental support for using client certificates when running as a replica of a server running behind a proxy


  • fix issue78: create less directories for pypi package files by splitting the md5 part into two. Avoids TooManyLinks errors in large installations.
  • fix –stop on windows. Thanks to Christian Ullrich for the PR.
  • fix issue79: interoperate with pip-1.5 by interpreting accept header as “/” as html_preferred. Thanks Richard Jones.
  • use latest virtualenv-1.11.2 when bootstrapping on jenkins
  • fix issue89: adapt for bottle changes in 0.12.1. Thanks Alexey Sveshnikov.


  • fix an import issue for doc files which were wrongly tied to a newer version of a base index. now version “auto” detection for storing doc files only works within a stage. Thanks Laurent Brack for bringing it up and providing the repo.
  • fix issue66: api endpoints now also respect –outside-url setting so that you can serve devpi from a subpath. Thanks for Fabian Snovna for reporting and analysis.
  • fix issue63: skip egg links that go to a directory (this requires doing a SVN checkout which devpi-server does not do). Thanks Ken Jung for analyzing the problem.
  • fix issue68: don’t derive metadata from filename but instead look it up in metadata or submitted form.
  • fix cache-invalidation when normalized_project_name != real_name (e.g. for Django but also many others). addresses issue59.
  • add newline to simple list output for better human readability of the page (thanks Brandon Maister)
  • make xmlrpc calls to pypi’s changelog API use “requests” sessions so that http proxies are respected there as well (fixes issue58). thanks to riehlm for identifying the problem and testing the fix.
  • internally refactor and consolidate mocking against requests library
  • –upgrade-state will upgrade now between major.minor/major.minor+1 changes.


  • serve links to files on simple pages and index root as relative paths so that it works more nicely with proxy-pass server setups. fixes issue56.
  • make devpi-server and devpi-common python3.3 compatible, addresses issue57
  • use system http/s proxy settings from devpi-server. fixes issue58.
  • refactor locations to allow nginx serving static files more directly. Also updated nginx template accordingly.
  • rework “–upgrade-state” to detect the state version of the server dir and create an appropriate virtualenv with a devpi-server install in order to export data, and then import that version.
  • allow to use /user/index as indexserver url for pip/easy_install by redirecting non-json queries to /user/index/PROJ[/] to /user/index/+simple/PROJ/
  • fix submission of multi-value fields like “classifiers” or “platform” (previously they would be wrongly collapsed to become the last value of a list)
  • fix normalization import/export issue: pypi names take precendence for defining the “real” name of a project.
  • always store uploaded documentation with a version. While “devpi upload” will make sure to pass in the version, “ upload_docs” will not pass in a version. In the latter case, devpi-server assumes the documentation belongs to the highest yet registered release. This change requires exporting with devpi-1.1 and importing with devpi-1.2 in order to properly store versioned docs internally.
  • use types/url/metadata/validation functionality of new depdency devpi_common
  • internal cleanup using pytest-flakes
  • make devpi-server use a proper UserAgent string


  • systematically test pypi/mirror code against all 34K pypi projects so that we know that all http/https installable archive links that pypi offers are correctly recognized by devpi-server’s root/pypi index.
  • if no pypi mirror state is known, devpi-server now calls pypi to obtain names/serials. It will fail to start if no such initial connection is possible. Once a first mirror state is known, subsequent devpi-server starts will not perform this initial query.
  • speed up and make more reliable all operations on private packages which have no release: we can now determine if a project exists on pypi and under which name exactly without remote queries or redirects to
  • fix issue45: register/upload package names are now properly validated and redirects take place if e.g. a project was registered as “name-sub” and “+simple/name_sub” is queried.
  • new –upgrade-state command to allow for easy and safe in-place upgrading of server state. This is not guranteed to be possible for all future releases which might require using –export with an older version and –import with a newer version.
  • new –export/–import options to dump and import server contents: users, indexes, docs, release files and (test) attachments. Note that root/pypi (PyPI-caching information) will not be exported/imported. (maybe in the future if there is demand).
  • fix issue49: both push and import/export now support docfiles. Note, however, that docfiles relate to a project as a whole and are not tied to a particular version. This property is inherited from the PyPI standard upload_docs action and cannot be changed without interfering or replacing the upload_docs protocol of setuptools/sphinx.
  • fix issue51: return 200 code if release file is successfully uploaded but jenkins could not be triggered (previously returned 500)
  • reject simple/NAME if NAME contains non-ascii characters (PEP426 naming rules)
  • devpi-server now returns a X-DEVPI-API-VERSION and X-DEVPI-SERVER-VERSION header. For future incompatible changes these versions allow clients to reject interactions.
  • also add ”.serverversion” file and write it if it does not exist, and make devpi-server use it to verify if operating on a compatible server data layout, otherwise bail out.
  • address issue43: –gendeploy now uses pip without –pre and explicitely instructs pip to install the exact same version of devpi-server with which –gendeploy is issued.
  • fix issue46 – for GET /root/pypi/ only show a link to the simple page instead of computing “latest in-stage packages” which is only useful for devpi’s user indices.
  • fix issue37: upload with expired login causes proper 401


  • rename “–datadir” to “serverdir” to better match the also picked up DEVPI_SERVERDIR environment variable.
  • fix a strange effect in that sometimes tools ask to receive a package url with a “#md5=...” arriving at the server side. We now strip that part out before trying to serve the file.
  • on startup don’t create any initial indexes other than the “root/pypi” pypi caching mirror.
  • introduce --start, --stop and --log commands for controling a background devpi-server run. (these commands previously were implemented with the devpi-client and the “server” sub command)
  • fix issue27: provide full list of pypi names in root/pypi’s simple view (and simple pages from inheriting indices)
  • default to “eventlet” server when creating deployment with –gendeploy
  • fix issue25: return 403 Forbidden when trying to delete the root user.
  • fix name mangling issue for pypi-cache: “project_name*” is now matched correctly when a lookup for “project-name” happens.
  • fix issue22: don’t bypass CDN by default, rather provide an “–bypass-cdn” option to do it (in case you have cache-invalidation troubles)
  • fix issue20 and fix issue23: normalize index specs internally (“/root/dev” -> “root/dev”) and check if base indices exist.
  • add Jenkins build job triggering for running the tests for a package through tox.
  • inheritance cleanup: inherited versions for a project are now shadowed and not shown anymore with get_releaselinks() or in +simple pages if the “basename” is exactly shadowed.
  • fix issue16: enrich projectconfig json with a “+shadow” file which lists shadowed “versions”
  • initial wheel support: accept “whl” uploads and support caching of whl files from
  • implemented internal push operation between devpi indexes
  • show “docs” link if documentation has been uploaded
  • pushing releases to will now correctly report the filetype/pyversion in the metadata.
  • add setting of acl_upload for indexes. Only the owning user and acl_upload users may upload releases, files or documentation to an index.
  • add –passwd USER option for setting a user’s password server-side
  • don’t require email setting for creating users


  • fix issue where lookups into subpages of the simple index (simple/NAME/VER) would not trigger a 404 as they should.


  • fixed issue9: caching of packages where upstream provides no last-modified header now works.
  • fixed issue8: only http/https archives are allowed and other schemes (such as ftp) are silently skipped
  • added support for REST DELETE methods of projects and versions on an index
  • added “argcomplete” support for tab completion on options (thanks to Anthon van der Neut)


  • fix /USER/INDEXNAME root views to contain only latest in-stage packages
  • make +api calls return bases so that “devpi use” can show them


  • return 404 for submits to root/pypi
  • properly sorted release file links on stage indexes
  • “push” method on indexes for transfering release files to another pypi index
  • properly handle urls from indexes with ~ and other special chars
  • fix root/pypi and root/dev page serving in various cases


  • implement more precise CDN/caching invalidation technique, using the most recent PyPI API (“X-PYPI-LAST-SERIAL” on simple pages and xmlrpc.list_packages_with_serial()). also simplify background tasks to become only one async task doing both changelog checking and triggering updates.
  • use a filesystem based storage mechanism instead of Redis
  • prevent automatic decoding of gzip files in case of content encoding
  • XXX preliminarily introduce new int/dev, int/prod indexes where int/dev inherits packages from both int/prod and ext/pypi.
  • XXX introduce preliminary support for client-side “devpi” workflow tool
  • allow uploads to int/dev
  • if no crontab exists for a user, simply create one instead of erroring out. Thanks Andi Albrecht.
  • internal refactoring for better organisation of redis access


  • re-fix issue6: tests and fixes for django-debug-toolbar where recursive scraping was accidentally triggered
  • remove fine-grained http caching for now because caching on the index level seems enough. This avoids an issues that occured when installing icalendar and also some offline/online state change issues.
  • added a note to README for how to upgrade –gendeploy installs
  • remove general dependency on virtualenv which is only needed for –gendeploy. Adapt docs accordingly.
  • remove dependency on pip by shifting the relevant scraping bits directly to


  • use pip’s link parser rather than beautifulsoup to benefit from link parsing code tested out and maintained in the wild. Adapt README.

  • skip a test if crontab command is not present

    (thanks Markus Zapke-Gruendemann)

  • release 0.8.3 is not useable


  • fix issue6 - some edge cases for link parsing uncovered by BeautifulSoup and CouchApp installs. Thanks Anton Baklanov.
  • fix issue5 - require minimal versions for deps, thanks Andi Albrecht
  • remove superflous include lines in


  • fix: change gendeployed supervisord.conf to not autostart processes on “devpi-ctl” invocations. “devpi-ctl help” would autostart the processes after a shutdown which is not very intuitive. This is actually compatible with the documentation.
  • refactor –gendeploy related code to be in
  • fix: fixate path of devpi-server in gendeployed configuration to point to the freshly installed devpi-server. also add a note to the README.


  • introduce “–gendeploy=TARGETDIR” for generating a virtualenv directory with supervisor-based configuration in TARGETDIR/etc and a TARGETDIR/bin/devpi-ctl helper to control the running of devpi-server and redis-server processes.
  • fix issue4: keep the “changelog” thread active across network/reachability errors. Thanks Laurent Brack.
  • use argparse instead of optparse, simplify and group options
  • fix python2.6 and simplify logging configuration


  • Initial release


3.1.0 (2016-04-22)

  • use readme-renderer like PyPI does.
  • if rendering the description causes errors, they are appended at the end.
  • When creating the preview snippet for search results on documentation and the extracted doc files can’t be accessed, then the preview will contain error information instead of raising an internal server error. See issue324
  • fix issue335: The documentation wasn’t linked for projects with non-normalized names.
  • fix issue324: The project name wasn’t correctly normalized when trying to access unpacked documentation in some code paths.
  • all generated URLs in devpi-web are now normalized and don’t go through a redirect anymore.
  • added some internal infos to view data for use in theme templates. Any view data starting with an underscore is internal and may change between releases without notice. see issue319

3.0.0 (2016-02-12)

  • dropped support for python2.6
  •,, style.css: added title and description to users and indexes.
  •, style.css: more compact styling of user/index overview using flexbox, resulting in three columns at most sizes
  • cleanup previously unpacked documentation to remove obsolete files.
  • store hash of doczip with the unpacked data to avoid unpacking if the data already exists.
  •, renamed pypi_whitelist related things to mirror_whitelist.
  • require and adapt to devpi-server-3.0.0 which always uses normalized project names internally and offers new hooks. devpi-web-3.0.0 is incompatible to devpi-server-2.X.
  •,, style.css, docview.js: use scrollbar of documentation iframe, so documentation that contains dynamically resizing elements works correctly. For that to work, the search from and navigation was moved into a wrapping div with class header, so it can overlap the top of the iframe.

2.6.0 (2016-01-29)

  • fix issue305: read documentation html files in binary and let BeautifulSoup

    detect the encoding.

  • require devpi-server >= 2.6.0

  • support for pip search command on indexes

2.5.0 (2015-11-19)

  • fix issue288: classifiers rendering wrong with read only data views
  •,, added info about pypi_whitelist. This requires devpi-server > 2.4.0 to work.
  • fix issue286: indexing of most data failed due to new read only views

2.4.2 (2015-11-11)

  • log exceptions during search index updates.
  • adapted tests/code to work with devpi-server-2.4

2.4.1 (2015-10-09)

  • fix issue255: close and discard whoosh searchers after each use, they use too much memory if stored in a thread local for reuse.

2.4.0 (2015-07-09)

  • Add autofocus attribute to search field
  • and style.css: Moved “How to search?” to the right of the search button and adjusted width of search field accordingly.
  • fix issue244: server status info
    • added support for status message plugin hook devpiweb_get_status_info
    • added macros status and statusbadge and placed them below the search field.
    • added shows server status information
  • fix missing closing div tag.

2.3.0 (2015-05-13)

  • use just one line for result status indicator
  • adapt devpi-web to devpi-server-2.2.0 hash-spec changes
  • moved hash to title attribute of table cell. With the upcoming change to sha256 it’s too long and it’s available from the link url as well.
  • use renamed devpiserver_run_commands hook
  • fix issue233: projects on root/pypi with no releases lead to a traceback

2.2.3 (2015-02-24)

  • fix issue207: added documentation url for latest stable release of a package.

2.2.2 (2014-11-27)

  • fix issue184: better height calculation of documentation iframe.


  • require devpi-server>=2.1.2
  • fix issue175: use normalized name of projects, so redirects from unnormalized names works. NOTE that if you had issues with documentation uploads not appearing because of normalization issues (“-” or “_” appearing in the name for example) you need to re-upload the docs or do a full export/import cycle.
  • fix view when tox results can not be parsed.
  • removed “code” tag around overwrite count.
  • added “footer” tag around the whole footer part.
  • moved file type, python version and size info from their own columns into the file column.
  • moved history column from before the tox results column to behind the tox results.
  • removed “last modified” from history column
  • removed timestamp from “replaced” action in history column
  • add link to PyPI page if applicable.
  • fix project page view if there are downloads with filenames which can’t be parsed as packages with version number
  • fix notfound-redirect when serving under an outside URL with a sub path


  • require devpi-server >= 2.1.0
  • static resources now have a plus in front to avoid clashes with usernames and be consistent with how other urls work: “+static/...” and “+theme-static/...”
  • adjusted font-sizes and cut-off width of content.
  • only show underline on links when hovering.
  • make the “description hasn’t been rendered” warning stand out.
  • moved md5 sum from it’s own column to the file column below the download link
  • added “history” column showing last modified time and infos about uploads and pushes.
  • fix issue153: friendly error messages on upstream errors.
  • show permissions on index page


  • better exception handling/reporting while indexing.
  • renamed --index-projects to --recreate-search-index.


  • allow overwriting of templates for theming.
  • show version info for currently active packages/plugins.
  • fix encoding issue when loading long description with Python 3.4 on Windows.
  • requires devpi-server 2.0.6.


  • fix issue125: javascript for embedded doc view didn’t work correctly.
  • fix issue118: rendering of description with unicode.


  • initial release
  • fix issue112 (reported on devpi-server): introduce a URL for showing docs using latest instead of a version. This will dynamically resolve to the latest version.