On Wed, Oct 08, 2014 at 13:05 +0100, Paul Moore wrote:
On 8 October 2014 12:40, holger krekel
wrote: I am concerned about the fact that public PyPI links are merged in even for my private packages residing on the extra index.
Bluntly, that's irrelevant.
I disagree. The PEP uses merging of public and private links in the main rationale section which comes before discussing migration strategies. It's used as motivation aka "look how easy it is to use additional/multi indexes" and not as a particular migration strategy that shouldn't be used otherwise.
That's how pip works. Maybe it's not the best way, maybe a feature request for pip would be worth pursuing, maybe you could even argue that it's a security issue with pip. But it's not relevant to this PEP, which simply says that "for this *specific" problem, multi-index support is a viable solution". Asking for a change in behaviour from pip in this specific case is not what the PEP is about. Actually, pip's behaviour in general is not subject to the PEP process (as Donald pointed out, trying to make it be is what got PEP 438 in trouble).
Well, for one i think "--extra-index-url" is indeed broken UI exposing people to compromise without any warning. Also, i am worried on principle grounds if pip maintainers are putting themselves outside PEP reach, yet pip is distributed along with Python. best, holger