Allow external hosting on PyPI
We get a lot of requests for this, but most folks aren’t aware that this used to be a feature of PyPI that was removed via PEP 470 because in practice it wasn’t great for end-users, similar to reasons mentioned above.
After reading PEP 470 I have not found a solid reason why allowing external hosting is a bad idea. The concerns I saw are:
- Security of packages coming from external repo.
- As long as pypi hosts checksums of external packages, this approach is no less secure than what pypi currently is. This was proposed in Allow package maintainer register an external URL instead of upload real wheel file · Issue #8998 · pypa/warehouse · GitHub
- End-user experience
- The previous, now-reverted implementation of this proposal may have a bad UX, but I haven’t seen technical arguments why there can’t be a good UX, with reasonable rules and error messages, etc. Why not start discussing what a good UX should be, before rejecting this idea?
- At the end of the day having
pip install external-packageworking automatically is better user experience than manually adding/using external index.
- Package author’s experience
- If this is too much overhead, they can continue to ask for size exemptions like today. But this is at least going to help many of the big organizations who are releasing the biggest packages on pypi, as they probably can afford such overhead in exchange for a better user experience for their end-users.
Would love to hear more insights about more concrete reasons against external hosting, or whether this idea can be revisited today.