-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update repositories.md #5605
Update repositories.md #5605
Conversation
Clarifies default vs secondary (see discussion in python-poetry#3855)
Deploy preview for website ready! ✅ Preview Built with commit ec77eed. |
@abn I changed a few things. I added the However, this part in the secondary source section is basically false:
You do not "avoid this" by adding the source. If you add the source to a package, the other dependencies still use the secondary sources. I would rephrase to:
|
docs/repositories.md
Outdated
[certificates](#certificates), please refer to the relevant sections below. | ||
If you prefer to disable [PyPI](https://pypi.org) completely, you may choose to set one of your package sources to be the [default](#default-package-source). | ||
|
||
To enable a package source only for a specific dependency, see [Secondary Package Sources](#secondary-package-sources). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To enable a package source only for a specific dependency, see [Secondary Package Sources](#secondary-package-sources). | |
If the package source provides only specific dependencies, see [Secondary Package Sources](#secondary-package-sources). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this suggestion makes it unclear what this is about. I rephrased to:
If you prefer to specify a package source for a specific dependency, see Secondary Package Sources.
docs/repositories.md
Outdated
@@ -171,7 +181,18 @@ If you wish to avoid this, you may explicitly specify which source to search in | |||
package. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As per your comment, this maybe replaced like this.
- If you wish to avoid this, you may explicitly specify which source to search in for a particular package.
+ In order to limit the search for a specific package to a particular package source, you can explicitly specify what source to use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, I applied this, but is limit
still true here? It is stated that:
All package sources (including secondary sources) will be searched during the package lookup process. These network requests will occur for all sources, regardless of if the package is found at one or more sources.
and:
If package sources are configured as secondary, all it means is that these will be given a lower priority when selecting compatible package distribution that also exists in your default package source.
So it seems like --secondary
and source = my-secondary-index
only means the search is prioritized
there, and not limited
there. However, I cannot test this, because my internal pypi
server redirects me to pypi.org
if a package is missing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
source =
should restrict the dep to only that repository -- if we're doing otherwise, that's a bug.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's difficult for me to assert this, because my private pypi
is set to redirect to pypi.org
on missing packages.
Since this closely touches security, there really should be a unit test that asserts it.
Co-authored-by: Arun Babu Neelicattu <arun.neelicattu@gmail.com>
Co-authored-by: Bjorn Neergaard <bjorn@neersighted.com>
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Pull Request Check List
Resolves: some discussion in #3855