Adding new source should set explicit flag by default

[ggolda]

Issue Kind

Change in current behaviour

Description

According to the documentation (Poetry Repositories Documentation) and current Poetry behavior, when a new source is added, it is automatically assigned a primary priority, causing PyPI to be ignored.

I believe this behavior is counterintuitive and should not be the default. In my opinion, it is error-prone and can lead to issues like the one my team encountered. We were using Poetry for the first time, and as a result, all of our dependencies were being loaded from an external mirror instead of PyPI.

I understand that it is our fault and such behavior is documented, but it is not what you would expect from a package manager. Usually at least in my experience with other languages and package managers (such as npm, composer, or even go get) by default they prioritize the main package repository and fallback to the supplementary if it is explicitly stated.

So in my opinion, a better alternative is to assign an explicit priority to added sources. Existing system is more than flexible enough to handle other requirements if such arise.

Impact

Improve user experience for users who do not read every section of documentation before starting to use the tool. Make it similar to average expectation of users coming from another languages.

Workarounds

This should be a default behavior in my opinion:

poetry source add --priority=explicit https://path/to/source

[abn]

I tend to agree here, atleast in that primary shouldn't be the default. I suspect the assumption here was that internal projects typically have a private primary source that proxied PyPI and this was the larger use cases.

Would be good to hear from others as well before we change anything.

[radoering]

At least, the current default is secure in the sense that you will not use PyPI accidentally when configuring other sources.

I do not have a strong opinion on changing it. If we want to change it, we should consider if supplemental would be a better default than explicit.

[abn]

Using supplemental is what I was thinking.

The default right now is very much a "surprise". Even for myself, when working on the source command recently was a bit surprised PyPI disappeared when I added a source. Took me a few seconds to connect the dots.

On thinking back, everytime I needed to add a new source has almost always been a supplemental source with PyPI as primary.

So, my vote would be to change it and use supplemental unless someone has an objection to such a change.