Just to note, PEP 708 seeks to solve this problem, with what seems to be a fairly similar approach at the package index level to what you propose:
I don’t understand the resistance to this feature, at least for the option of specifying the new index for a specific package as supported in requirements.txt. I understand that you might not want to specify an additional index for all packages being installed for reasons of conflicts but specifying a url for a specific package is very useful
If a package has dependency that is not on PyPI then pyproject.toml
is the natural place to define these in a way that they get picked up regardless of which build/install tool is being used. This isn’t a pip config thing, or a PDM or Poetry thing, it’s a project thing.
Is it insecure to allow a custom package index? No more insecure than allowing a dependency to be installed from a git repo, which is already supported in pyproject.toml
Is it? Ah, yes, but then PyPI would reject the upload of such package, right?
What PyPI does is irrelevant. This is about building and installing packages, not about publishing them to PyPI.