-
Notifications
You must be signed in to change notification settings - Fork 900
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--extra-index-url failing when package not in --index-url (polygraphy 0.47.1) #1600
Comments
zanieb
added
bug
Something isn't working
registry
Related to package indexes and registries
labels
Feb 17, 2024
I think that this is the same as observed in #1451 |
Ah, I glanced at your ticket and ducked out after seeing the timeout. I think you're right that it's the same thing. At least this is another example to test with. |
BurntSushi
added a commit
that referenced
this issue
Feb 29, 2024
Previously, we would prioritize `--index-url` over all `--extra-index-url` values. But now, we prioritize all `--extra-index-url` values over `--index-url`. That is, `--index-url` has gone from the "primary" index to the "fallback" index. In most setups, `--index-url` is left as its default value, which is PyPI. The ordering of `--extra-index-url` with respect to one another remains the same. That is, in `--extra-index-url foo --extra-index-url bar`, `foo` will be tried before `bar`. Finally, note that this specifically does not match `pip`'s behavior. `pip` will attempt to look at versions of a package from all indexes in which in occurs. `uv` will stop looking for versions of a package once it finds it in an index. That is, for any given package, `uv` will only utilize versions of it from a single index. Ref #171, Fixes #1377, Fixes #1451, Fixes #1600
BurntSushi
added a commit
that referenced
this issue
Feb 29, 2024
Previously, we would prioritize `--index-url` over all `--extra-index-url` values. But now, we prioritize all `--extra-index-url` values over `--index-url`. That is, `--index-url` has gone from the "primary" index to the "fallback" index. In most setups, `--index-url` is left as its default value, which is PyPI. The ordering of `--extra-index-url` with respect to one another remains the same. That is, in `--extra-index-url foo --extra-index-url bar`, `foo` will be tried before `bar`. Finally, note that this specifically does not match `pip`'s behavior. `pip` will attempt to look at versions of a package from all indexes in which in occurs. `uv` will stop looking for versions of a package once it finds it in an index. That is, for any given package, `uv` will only utilize versions of it from a single index. Ref #171, Fixes #1377, Fixes #1451, Fixes #1600
BurntSushi
added a commit
that referenced
this issue
Feb 29, 2024
Previously, we would prioritize `--index-url` over all `--extra-index-url` values. But now, we prioritize all `--extra-index-url` values over `--index-url`. That is, `--index-url` has gone from the "primary" index to the "fallback" index. In most setups, `--index-url` is left as its default value, which is PyPI. The ordering of `--extra-index-url` with respect to one another remains the same. That is, in `--extra-index-url foo --extra-index-url bar`, `foo` will be tried before `bar`. Finally, note that this specifically does not match `pip`'s behavior. `pip` will attempt to look at versions of a package from all indexes in which in occurs. `uv` will stop looking for versions of a package once it finds it in an index. That is, for any given package, `uv` will only utilize versions of it from a single index. Ref #171, Fixes #1377, Fixes #1451, Fixes #1600
BurntSushi
added a commit
that referenced
this issue
Feb 29, 2024
Previously, `uv` would always prioritize the index given by `--index-url`. It would then try any indexes after that given by zero or more `--extra-index-url` flags. This differed from `pip` in that any priority was given at all, where `pip` doesn't guarantee any priority ordering of indexes. We could go in the direction of mimicing `pip`'s behavior here, but it at present has issues with dependency confusion attacks where packages may get installed from indexes you don't control. More specifically, there is an issue of different trust levels. See discussion in #171 and [PEP-0708] for more on the security impact. In contrast, `uv` will only select versions for a package from a single index. That is, even if `foo` is in indexes `a` and `b`, it will only consider the versions from the index that it checks first. This probably helps with respect to dependency confusion attacks, but also means that `uv` doesn't quite cover all of the same use cases as `pip`. In this PR, we retain the notion of prioritizing indexes, but tweak it so that PyPI is preferred last as opposed to first. Or more precisely, the `--index-url` flag specifies a fallback index, not the primary index, and is deprioritized beneath every index specified by `--extra-index-url`. The ordering among indexes given by `--extra-index-url` remains the same: earlier indexes are prioritized over later indexes. While this tweak likely won't hit all use cases, I believe it will resolve some of the most common pain points without exacerbating dependency confusion problems. Ref #171, Fixes #1377, Fixes #1451, Fixes #1600 [PEP-0708]: https://peps.python.org/pep-0708/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
polygraphy==0.47.1
is present on the nvidia package index but not regular PyPI. Onuv
0.1.3, I canuv pip install polygraphy==0.47.1 --index-url https://pypi.ngc.nvidia.com
but notuv pip install polygraphy==0.47.1 --extra-index-url https://pypi.ngc.nvidia.com
.I realize this is very similar to #1377 but the discussion in that ticket seemed to be more about priority of indices to install from than an absence of checking the extra index url.
Verbose output below -
The text was updated successfully, but these errors were encountered: