On 24 April 2017 at 17:10, Nick Coghlan wrote:
> On 22 April 2017 at 21:05, Donald Stufft wrote:
>> I think the biggest barrier to doing it in pip is simply the UX of it. We’re
>> currently constrained by the fact that *all* of our options are available as
On 22 April 2017 at 21:05, Donald Stufft wrote:
> I think the biggest barrier to doing it in pip is simply the UX of it. We’re
> currently constrained by the fact that *all* of our options are available as
> CLI flags, environment variables, and of course, a config file. This
> On Apr 22, 2017, at 3:13 AM, Nick Coghlan wrote:
>
> Nobody has been motivated to implement that capability for the
> Python-specific tooling so far, as it competes against two
> alternatives that will often make more architectural sense:
>
> - automated build pipelines
On 22 April 2017 at 06:25, Wayne Werner wrote:
> On Fri, 21 Apr 2017, Jannis Gebauer wrote:
>
>> They could, of course, fix this very easily by running their own PyPi
>> mirrors.
>
>
> And now they have two problems.
>
>
> On the one hand, I agree that there is a potential
On Fri, 21 Apr 2017, Jannis Gebauer wrote:
They could, of course, fix this very easily by running their own PyPi mirrors.
And now they have two problems.
On the one hand, I agree that there is a potential from some abuse and
vulnerabilities... but I think that I'd argue that if you're in a
I did some research on commercial private package indexes, namely Gemfury and
packagecloud.
Both of them recommend to use `--extra-index-url` as a parameter to point to
their own index servers hosting the private package. This is blatantly insecure.
Using `--extra-index-url` tells pip to use