On Wed, Oct 08, 2014 at 13:05 +0100, Paul Moore wrote: > On 8 October 2014 12:40, holger krekel <[email protected]> wrote: > > I am concerned about the fact that public PyPI links are merged in even > > for my private packages residing on the extra index. > > Bluntly, that's irrelevant.
I disagree. The PEP uses merging of public and private links in the main rationale section which comes before discussing migration strategies. It's used as motivation aka "look how easy it is to use additional/multi indexes" and not as a particular migration strategy that shouldn't be used otherwise. > That's how pip works. Maybe it's not the best way, maybe a feature > request for pip would be worth pursuing, maybe you could even argue > that it's a security issue with pip. But it's not relevant to this > PEP, which simply says that "for this *specific" problem, multi-index > support is a viable solution". Asking for a change in behaviour from > pip in this specific case is not what the PEP is about. Actually, > pip's behaviour in general is not subject to the PEP process (as > Donald pointed out, trying to make it be is what got PEP 438 in > trouble). Well, for one i think "--extra-index-url" is indeed broken UI exposing people to compromise without any warning. Also, i am worried on principle grounds if pip maintainers are putting themselves outside PEP reach, yet pip is distributed along with Python. best, holger _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
