Having a formal PEP will provide good visibility and transparency to users of the resolution algorithm. Given that users can opt in to use or not to use this algorithm, tools such as uv can still innovate and provide their own solutions. However, having clear and accepted PEP will benefit projects like PyTorch to provide the best and most secure experience for the users having standard tooling such as pip.
For development teams maintaining their own index, dealing with a single standard algorithm is preferred rather than supporting multiple non-standard tools and use cases that could potentially contradict each other.
Since PEP 766 is informational and does not contain technical implementation details, I propose creating a standards track PEP to go along with PEP 766. We should be able to specify and discuss technical implementation details of PEP 766 in this new standards track PEP. The technical details should include the interaction with following PEPs:
PEP 708 Extending the Repository API to Mitigate Dependency Confusion Attacks
PEP 610 Recording the Direct URL Origin of installed distributions (in our case we want to record Index from which wheel came from)
Hence in this case it would make sense to close the PR 13210. Create a new standards track PEP and open a new PR based on the standards track PEP.
The goal of this informational PEP is solely to establish shared verbiage and describe common concepts among potential index priority implementations. This PEP does not define any behavioral requirements. From the PEP abstract:
This PEP aims to describe each of these behaviors, which are referred to as “version priority” and “index priority” respectively, so that community discussions and troubleshooting can share a common vocabulary, and so that tools can implement predictable behavior based on these descriptions.
I think establishing common terms and concepts for index priority even without defining behavioral requirements is beneficial. We’ve received feedback from projects and index maintainers who wish to teach their users about index priority to ensure users get expected packages. The differences in tooling today is a complication that leads to confusion and makes it harder for users to know how to use non-PyPI indices, and impose additional work for projects to document best practices for their packages.
I absolutely agree just defining terms and concepts is less impactful. I think it would be much more valuable to have an additional separate PEP that standardizes behavior and configuration among tools for index priority, but such a PEP would be distinct and should be reviewed independently. I think such a PEP could require a certain behavior or configuration options to be available, but also leave room for innovation. uv today has package pinning but can also fall back to pip’s “unsafe-best-match” behavior, so multiple behaviors being available already exists. I don’t want to derail the conversation on this PEP thread however, so I would suggest a discussion of a “standards track” PEP move to either a new DPO thread or the WheelNext Google Group or Discord channel.