Question: How to handle multiple private extra indexes? #2310
Comments
I think if this were implemented as written, it would quickly go exponential, right? In the case where a resolution doesn't exist (which isn't totally uncommon), you'd need to every combination of each package in each index.
I don't think we're planning on this at present, principally because this is the thing that can cause dependency confusion problems. I suppose in theory some kind of explicit opt-in flag could mitigate the impact of the dependency confusion problem, but I don't know off-hand how invasive of a change that is. (That is, supporting both priority ordering and "get everything from all indexes and given priority to nothing and provide no guarantees about which index is used." It might not be that bad.)
Can you say more about this? Why? |
This is somewhat overlapping in my use case (#2205) so I'll gladly answer for that bit, So we end up with:
This wouldn't be a problem, but if you now have candidates in staging, or more development versions in dev, you can't install the production versions you want to test with your development version.
This isn't my problem, but it's adjacent, so I understand how it would be nice to be able to at least allow a "let me resolve the packages from other repositories, even though I know it is a vulnerability"-flag. Now consider that you have multiple repositories that you have to install from, where the versions available vary, but the package(s) you need are only available from a particular repository that includes an arbitrary version of it's dependencies in it, then you have #2205. The current workaround is to have multiple rounds of installing with different package indexes, but that doesn't always pan out (if the dependencies line up in a bad way, you can end up with older versions of packages unless you manually fix up your requirements files). Unfortunately that workaround is not deployable so this is local testing only so far. |
@korhojoa Pretty much nailed the answer.
Actually I don't know how do you do multiple rounds of installs.
And we even have multiple levels of dependencies, where Package A has it's own sub dependencies coming from the same indexes. |
Looser requirements, that's pretty much the "if the dependencies line up in a bad way" cop-out in my sentence. |
|
I think the |
I decided to create a new issue, because I think the currently present issues don't exactly match my problem, and ask for different solutions:
Since I couldn't find a workaround, or any suggestion on how to handle this, I am writing down my own pain.
I am mainly interested in, how to handle when you have 3 indexes:
This means there should be no exact conflicts, but they complement each other.
requirements/pyproject contains a mix of packages from all of those indexes, usually hard specified by some automatism, that updates the requirements/pyproject files.
During install we have to add all indexes.
We tried to switch over to uv for performance reasons, but this specific case is not supported yet. Resolution stops at the first index where the package name exists, and just throws an error, saying it's impossible.
After reading through some of the issues and discussion I came to the following 2 possible proposals/questions:
This may still be a duplicate, sorry if it is, but I thought it worth just writing this down.
The text was updated successfully, but these errors were encountered: