[Distutils] The sad and insecure state of commercial private package indexes

Donald Stufft donald at stufft.io
Sat Apr 22 07:05:47 EDT 2017

> On Apr 22, 2017, at 3:13 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> Nobody has been motivated to implement that capability for the
> Python-specific tooling so far, as it competes against two
> alternatives that will often make more architectural sense:
> - automated build pipelines using dependency pinning, hash checks, and
> pre-filtered artifact repositories
> - relying on build & deployment formats that already offer repository
> priority support (e.g. native Linux packages or conda packages)

I think the biggest barrier to doing it in pip is simply the UX of it. We’re currently constrained by the fact that *all* of our options are available as CLI flags, environment variables, and of course, a config file. This works great for simple key, value configuration but it breaks down with more complex situations like trying to assign a priority to different repositories or selecting which repository a particular package *should* come from (and other more complex situations).

Thus far we’ve more or less stuck our fingers in our ears and focused on other problems, but I think we’re going to end up needing to refactor the way pip handles configuration to really make this sort of thing sane.

Donald Stufft

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170422/69508fba/attachment-0001.html>

More information about the Distutils-SIG mailing list