As far as I know pip does not allow the
--index-url flag inline in
requirements.txt files, so it is not possible to write something like the following:
Alpha --index-url https://pep503.bravo.dev/simple/ Bravo --index-url https://pep503.charlie.dev/simple/ Charlie Delta
Also tox is deprecating its
indexserver setting, which allows something like:
[tox] indexserver = bravo = https://pep503.bravo.dev/simple/ charlie = https://pep503.charlie.dev/simple/ [testenv] deps = Alpha :bravo:Bravo :charlie:Charlie Delta
But seems like there is a need to be able to enforce specific dependencies to be fetched from specific servers. There is always the issue that if there are 2 (or more) projects with the same name on different servers, then it is rather hard to control which one will ultimately be fetched and installed. Usually it is the project for which there is a distribution with the highest version number. But it is not necessarily what the user wants. Often the user wants a private dependency to be fetched from their own private index, even if there is a project with the same name and a higher version number on the public index.
I do not have the links right now, but I have already seen multiple questions to that effect (on Stackoverflow and others):
- pip: selecting index url based on package name?
- This poetry ticket about exporting the lockfile to
- The deprecation of tox’s
indexserversetting will probably leave the users without alternative.
- Some of the “name squatting” issues on PyPI ().
- Issues regarding pip’s index priority order (, ).
- PyDist – Blog – The Problem with
- [I should update when I find the other related links again.]
I feel like it could be useful to have a dependency notation that includes the URL to the index. Is there any? Is there any other solution to solve these kinds of issues?
I feel like maybe a dependency notation like the following could help:
Library @ https://pep503.tango.dev/simple/
which would translate to:
python -m pip install --index-url 'https://pep503.tango.dev/' Library
As with PEP 440’s direct references, packages containing such dependencies should be rejected from public servers.
I do not know if something like that has already been considered (please provide links if yes).