On 19 Sep 2019, at 13:41, email@example.com wrote:
First, thank you for the answer, Florian, and your time.
Occasionally we also replace specific releases from pypi with ones we build ourselves. Mostly to prevent buggy releases that have not been fixed on pypi to be installed. We would typically merge a bugfix that was not yet applied by the maintainers or fix it ourself, then build the package and upload it. Say the buggy version is 1.2, we replace it by our version 1.2 on our index. Then later along the line, when 1.3 is uploaded to pypi, we want our index to installed the now officially fixed version 1.3 from pypi. I might be mistaking, but an empty whitelist would prevent that, correct? In that case our fixed version 1.2 would always be installe, even though pypi had a version 1.3. Is there a solution for that?
In that case you would add the package with the fix to the mirror_whitelist.
To make this simpler I would create two indexes.
The first has root/pypi in bases and mirror_whitelist="*". It's the one where you upload fixed packages.
The second inherits only from the first and contains all private packages with empty mirror_whitelist.
That way you can upload fixed versions or additional wheels etc to the first index and by using the second index as your install base, any private package is automatically safe.
This setup also prevents accidents because of mistakes while updating mirror_whitelist.
Regards, Florian Schulze