Just to note, PEP 708 seeks to solve this problem, with what seems to be a fairly similar approach at the package index level to what you propose:
I don’t understand the resistance to this feature, at least for the option of specifying the new index for a specific package as supported in requirements.txt. I understand that you might not want to specify an additional index for all packages being installed for reasons of conflicts but specifying a url for a specific package is very useful
If a package has dependency that is not on PyPI then pyproject.toml is the natural place to define these in a way that they get picked up regardless of which build/install tool is being used. This isn’t a pip config thing, or a PDM or Poetry thing, it’s a project thing.
Is it insecure to allow a custom package index? No more insecure than allowing a dependency to be installed from a git repo, which is already supported in pyproject.toml
3 Likes
Is it? Ah, yes, but then PyPI would reject the upload of such package, right?
1 Like
What PyPI does is irrelevant. This is about building and installing packages, not about publishing them to PyPI.