3

I have a private registry that stores SomePackage that depends on other packages listed on pypi. I would like to install SomePackage with all its dependencies using pip but I came across a problem.

At first I used the --extra-index-url pip option to install SomePackage:

pip install --extra-index-url http://my.package.repo/simple SomePackage

But if SomePackage also exist on pypi pip will simply install the latest version amongst the indexes given (and not give any priority to my private registry). That seems like a risk to me and some others. So I was wondering if there could be a workaround to prevent the involuntary installation of SomePackage from pypi.

I have an idea, but maybe that's a bad one (or maybe it doesn't work as I expect):

# Install the package from the private registry without its dependencies: 
pip install --no-deps --index-url http://my.package.repo/simple SomePackage
# Then install only its dependencies:
pip install --extra-index-url http://my.package.repo/simple SomePackage

This would only work for SomePackage but all its dependencies from the private registry will not be "protected" by this approach. Any other/better idea?

cglacet
  • 8,873
  • 4
  • 45
  • 60
  • Does this answer your question? [Private Python package management](https://stackoverflow.com/questions/63320653/private-python-package-management) – sinoroc Aug 29 '20 at 08:47
  • You probably should start by making your private repository the main one, and _PyPI_ the extra one: `python -m pip install --index-url ${PRIVATE_REPO_URL} --extra-index-url ${PYPI_URL}`. And yeah if there are projects with the same name on both repositories, it gets difficult to predict for sure which one is gonna get installed. See my previous comment. – sinoroc Aug 29 '20 at 08:52
  • The linked question is indeed similar, but sadly no answer gives a viable solution yet. Even if the question's suggested idea isn't that bad (ie, register a dummy version of `SomePackage` on Pypi to make sure nobody can usurp it). The advantage is that it's quite easy to automate so I will do that while waiting for a clean solution. – cglacet Aug 29 '20 at 15:14
  • Best solution is to have and curate your own mirror (using _devpi_ for example). – sinoroc Aug 29 '20 at 21:15

0 Answers0