Hi Holger, On 10/11/2014 12:31 AM, holger krekel wrote:
I understand that as a fairly generic security statement. But I was trying to rather ask about use cases and scenarios where precisely the --extra-index-url option is useful and to be recommended. I'd be grateful if Nick or you could still describe use cases, especially outside PEP470 external links context (the option existed before so i presume there must be some use cases).
I don't use it anymore (because these days for everything other than interactive playing around, I install only from a curated local index specifically limited to each project's dependencies using --no-index and --find-links), but I used to use it. My use case was this: generally dependencies were installed from PyPI, but occasionally I would need to patch a dependency, so I would create an sdist with a patched version number (e.g. if I patched 2.0.1, I would create an sdist for version 2.0.1.obc1, where "obc" is a tag based on my company name or the project) and add this patched sdist to my own index, which I would add to my installs with --extra-index-url. Because I used a patched version number and pinned all dependencies exactly, it didn't matter to me that both PyPI and my "extra index" were considered for installation; in fact that was convenient, since it meant I could very easily upgrade to a newer PyPI release. I never used it for "private" non-PyPI packages. Carl