Is setting the pip index enough to avoid accidentally installing the public package

Let’s say I have some package named mysuperprivatepackage which I intend to host and use inside my private index. My software is allowed to install from this private index and the public index (

Say someone with malicious intent uploads the same name to in hopes that our software installs theirs.

Is simply setting pip index (e.g., pip install --index-url) enough to protect against this?

Hey Keto the packaging category discussed this… check it out