Let’s say I have some package named
mysuperprivatepackage which I intend to host and use inside my private index. My software is allowed to install from this private index and the public index (pypi.org).
Say someone with malicious intent uploads the same name to pypi.org in hopes that our software installs theirs.
Is simply setting pip index (e.g.,
pip install --index-url) enough to protect against this?