The problem is that even if your private index software allows you to mask packages, pip will happily “unmask” it if any other index also provides a package by the same name. That can only be fixed by avoiding referencing any indexes you don’t control, which is currently not “official” advice, and so people are unlikely to discover it by themselves until they notice their private package has been superseded by someone else’s public release.
Any form of more explicit masking would help here, as well as letting us document a mitigation or best practice, rather than simply talking about a risk. That’s a much more positive message to send. But first, we need to agree on how to explicitly constrain pip to only check certain feeds for certain packages.
Suggestions so far:
- Name prefix:
co:package(and no colons allowed on PyPI)
- Index prefix:
packageif the index matches
- Constraints file: allow restricting look up of
packageto particular indexes
- Prioritised indexes: ignore “lower priority” indexes if
packageis found on a higher pri index
- Server-side name prefix:
co-*packages can only be published on PyPI by authorised
- Disallow multiple indexes in a single “install” command
Those are roughly in descending order of how much I like them as solutions, and they’re not all mutually exclusive. But if we want none of them, then I expect we’ll start seeing unfortunately negative-sounding advice coming out and have no way to counter it.