Update repositories.md #5605
Update repositories.md #5605
Conversation
Clarifies default vs secondary (see discussion in python-poetry#3855)
|
Deploy preview for website ready! ✅ Preview Built with commit ec77eed. |
|
@abn I changed a few things. I added the However, this part in the secondary source section is basically false: You do not "avoid this" by adding the source. If you add the source to a package, the other dependencies still use the secondary sources. I would rephrase to: |
docs/repositories.md
Outdated
| [certificates](#certificates), please refer to the relevant sections below. | ||
| If you prefer to disable [PyPI](https://pypi.org) completely, you may choose to set one of your package sources to be the [default](#default-package-source). | ||
|
|
||
| To enable a package source only for a specific dependency, see [Secondary Package Sources](#secondary-package-sources). |
There was a problem hiding this comment.
| To enable a package source only for a specific dependency, see [Secondary Package Sources](#secondary-package-sources). | |
| If the package source provides only specific dependencies, see [Secondary Package Sources](#secondary-package-sources). |
There was a problem hiding this comment.
I think this suggestion makes it unclear what this is about. I rephrased to:
If you prefer to specify a package source for a specific dependency, see Secondary Package Sources.
docs/repositories.md
Outdated
| @@ -171,7 +181,18 @@ If you wish to avoid this, you may explicitly specify which source to search in | |||
| package. | |||
There was a problem hiding this comment.
As per your comment, this maybe replaced like this.
- If you wish to avoid this, you may explicitly specify which source to search in for a particular package.
+ In order to limit the search for a specific package to a particular package source, you can explicitly specify what source to use.There was a problem hiding this comment.
So, I applied this, but is limit still true here? It is stated that:
All package sources (including secondary sources) will be searched during the package lookup process. These network requests will occur for all sources, regardless of if the package is found at one or more sources.
and:
If package sources are configured as secondary, all it means is that these will be given a lower priority when selecting compatible package distribution that also exists in your default package source.
So it seems like --secondary and source = my-secondary-index only means the search is prioritized there, and not limited there. However, I cannot test this, because my internal pypi server redirects me to pypi.org if a package is missing.
There was a problem hiding this comment.
source = should restrict the dep to only that repository -- if we're doing otherwise, that's a bug.
There was a problem hiding this comment.
It's difficult for me to assert this, because my private pypi is set to redirect to pypi.org on missing packages.
Since this closely touches security, there really should be a unit test that asserts it.
Co-authored-by: Arun Babu Neelicattu <[email protected]>
Co-authored-by: Bjorn Neergaard <[email protected]>
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Pull Request Check List
Resolves: some discussion in #3855