While responding to the PEP 759 discussion I came up with a scenario that I’m not 100% sure is handled well by this PEP. It doesn’t appear to be covered by the text, so I’m wondering whether it’s deliberate or just handled in some way that I don’t see:
If I publish my own packages on my own index, and expect users to specify both my index and PyPI, but I haven’t claimed my package names on PyPI, a malicious/naive user could claim those names and break installs. There doesn’t seem to be any metadata my index can provide to say “I am the real one, ignore other sources” (and clearly it couldn’t). This situation is probably okay, but it’s more the context than problem.
Now, the obvious way to avoid this happening is to also claim my packages on PyPI and set the “tracks” metadata. That way when they’re both listed, it will be allowed (because metadata says they’re the same package), and so I can ensure that the one on PyPI is a lower version and it will never get installed.
But assuming that I can’t put my actual package on PyPI, what should the contents of that one be? Users who forget my index will see a successful install without real content, lockfiles generated without my index will be nonsense, and if my PyPI credentials get exposed there’s still a path even to users who are specifying the index.
The best ideas I’ve come up with is to put a setup.py on PyPI that prints a helpful error and fails (but I’d love a better system for “fail to install with a custom error message”), or to have some way[1] to treat PyPI as a fallback index, and so packages that appear on two indexes where one is PyPI (or another “fallback index”) will be taken from the other index regardless of any metadata.
Other thoughts? Or did I miss something that actually makes this a non-issue?
I’m hand-waving on purpose because I don’t much care how. If you force me to choose, I’m saying to make
--index-urlfor “essential” indexes and--extra-index-urlfor “fallback” indexes. But other ideas are welcome. ↩︎