-
Notifications
You must be signed in to change notification settings - Fork 669
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PIP_EXTRA_INDEX_URL not used. Multiple artifacts feeds not parsed correctly. #1688
Comments
FYI, for any use case other than a mirror, pip extra index url is inheriently insecure, as pip does not guarantee ordering of which index url it will read first an attacker can place a package on the other index with the same name as your internal package. This isn't theoretical, malicious packages were uploaded to PyPI that mirrored the names of packages on the pytorch index. The attempt to solve this is PEP 708, but it hasn't been implemented by PyPI yet. But I would strongly advise no one use extra index url with pip unless they very specifically are hosting multiple index mirrors. For uv see related discussion here: #171 |
FYI pip index url and pip extra index url are two different features of Pip. The latter allowing to query multiple indexes (and as I've said is inherently insecure). You seem to have linked to the former and this request is about the latter. |
@notatallshaw - Ah sorry, I just consider it "the same" underlying issue, since if we add support for |
Thanks @charliermarsh . I don't think the two mentioned existing issues covers the "Issue with multiple artifacts feeds". Would you consider and reopen if you agree. Thanks. |
I can open an issue to track that — although I think the solution here is to pass |
My team uses a
PIP_EXTRA_INDEX_URL
environment variable to point to multiple azure artifacts feeds.If I try to use
uv
PIP_EXTRA_INDEX_URL
variable seems not to be used and--extra-index-url
does not work with a space separated list of artifact feeds.Reproduce Basic Issue
export PIP_EXTRA_INDEX_URL=https://USER:[email protected]/ORGANISATION/_packaging/FEED%40Local/pypi/simple/
uv pip install CUSTOM_PACKAGE
× No solution found when resolving dependencies: ╰─▶ Because CUSTOM_PACKAGE was not found in the package registry and you require CUSTOM_PACKAGE, we can conclude that the requirements are unsatisfiable.
If I run
pip install CUSTOM_PACKAGE
I get it installedIssue with
--extra-index-url
If I try
uv pip install CUSTOM_PACKAGE --extra-index-url=$PIP_EXTRA_INDEX_URL
I get
error: Failed to download: CUSTOM_PACKAGE==0.1.1110624 Caused by: HTTP status client error (405 Method Not Allowed) for url (https://pkgs.dev.azure.com/ORGANISATION/_packaging/SOME_ID@ANOTHER_ID/pypi/download/CUSTOM_PACKAGE/0.1.1110624/CUSTOM_PACKAGE-0.1.1110624-py3-none-any.whl#sha256=SOME_SHA256_CODE)
This is the same issue as #1371.
Issue with multiple artifacts feeds
In practice we use multiple azure artifacts feeds. We set
PIP_EXTRA_INDEX_URL
to a space separated list of the urls.The
PIP_EXTRA_INDEX_URL
is again not taken into accountuv pip install CUSTOM_PACKAGE × No solution found when resolving dependencies: ╰─▶ Because CUSTOM_PACKAGE was not found in the package registry and you require CUSTOM_PACKAGE, we can conclude that the requirements are unsatisfiable.
If I try to work around it using
--extra-index-url
i seeThus
uv
does not handle multiple feeds correctly.Using
pip
workspip install CUSTOM_PACKAGE --extra-index-url="$PIP_EXTRA_INDEX_URL" ... Successfully installed CUSTOM_PACKAGE-0.1.1110624.
The text was updated successfully, but these errors were encountered: