Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve versions appearing in multiple extra indexes #2135

Closed
wants to merge 2 commits into from
Closed

Resolve versions appearing in multiple extra indexes #2135

wants to merge 2 commits into from

Conversation

sapir
Copy link

@sapir sapir commented Mar 2, 2024

Summary

This is intended to fix an issue similar to #1451 and #2083 for a case where there are multiple private extra-index-urls. afaik they're all equally trusted, so there shouldn't be any security issue.

Test Plan

I really don't know how to test this properly.

@notatallshaw
Copy link
Contributor

afaik they're all equally trusted, so there shouldn't be any security issue.

Why would you make that assumption? It's very possible the user does not know the trust level of an index, that they could be using multiple public indexes. This assumption is the problem that pip is now stuck with, and leads to dependency confusion attacks.

I appreciate that isn't a review of this PR but the approach, but I don't see an open issue linked that this is supposed to solve.

@charliermarsh
Copy link
Member

I appreciate the PR (nice job figuring this out) but I think we're unlikely to merge this, especially without some kind of user opt-in, since it does create additional safety issues that don't exist today.

@sapir
Copy link
Author

sapir commented Mar 3, 2024

afaik they're all equally trusted, so there shouldn't be any security issue.

Why would you make that assumption? It's very possible the user does not know the trust level of an index, that they could be using multiple public indexes. This assumption is the problem that pip is now stuck with, and leads to dependency confusion attacks.

I appreciate that isn't a review of this PR but the approach, but I don't see an open issue linked that this is supposed to solve.

Apologies, I meant that this is my actual use case, where I trust the extra indexes equally. For now I've solved it by instead setting up a kind of reverse proxy that combines the various indexes.

@sapir sapir closed this Mar 3, 2024
@korhojoa korhojoa mentioned this pull request Mar 5, 2024
Closed
@atti92 atti92 mentioned this pull request Mar 8, 2024
Closed
@charliermarsh charliermarsh mentioned this pull request Apr 3, 2024
Merged
charliermarsh added a commit that referenced this pull request Apr 3, 2024
@charliermarsh
Allow package lookups across multiple indexes via explicit opt-in (#2815
34341bd 
)

## Summary

This partially revives #2135 (with
some modifications) to enable users to opt-in to looking for packages
across multiple indexes.

The behavior is such that, in version selection, we take _any_
compatible version from a "higher-priority" index over the compatible
versions of a "lower-priority" index, even if that means we might accept
an "older" version.

Closes #2775.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sapir @notatallshaw @charliermarsh