Consider advocating for setting PyPI as --extra-index-url #9
Description
As there is subtly in the use of --extra-index-url in general, which is self evident in the need to describe
upload-nightly-action/README.md
Lines 35 to 36 in 80af44f
, it is perhaps more clear to users what is happening if the package index with the nightly release is set as --index-url and https://pypi.org/ is set as --extra-index-url.
As an explicit example consider
python -m pip install \
--index-url https://pypi.anaconda.org/scipy-wheels-nightly/simple \
--extra-index-url https://pypi.org/simple \
--upgrade \
--pre \
matplotlib
in the following:
$ docker run --rm -ti python:3.11 /bin/bash
root@f1656f46567f:/# python -m venv venv && . venv/bin/activate
(venv) root@f1656f46567f:/# python -m pip --quiet install --upgrade pip setuptools wheel
(venv) root@f1656f46567f:/# python -m pip install \
--index-url https://pypi.anaconda.org/scipy-wheels-nightly/simple \
--extra-index-url https://pypi.org/simple \
--upgrade \
--pre \
matplotlib
Looking in indexes: https://pypi.anaconda.org/scipy-wheels-nightly/simple, https://pypi.org/simple
Collecting matplotlib
Downloading https://pypi.anaconda.org/scipy-wheels-nightly/simple/matplotlib/3.8.0.dev1132%2Bg39cdf5d9ba/matplotlib-3.8.0.dev1132%2Bg39cdf5d9ba-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (11.6 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 11.6/11.6 MB 11.4 MB/s eta 0:00:00
Collecting contourpy>=1.0.1 (from matplotlib)
Downloading contourpy-1.0.7-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (299 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 300.0/300.0 kB 6.7 MB/s eta 0:00:00
Collecting cycler>=0.10 (from matplotlib)
Downloading cycler-0.11.0-py3-none-any.whl (6.4 kB)
Collecting fonttools>=4.22.0 (from matplotlib)
Downloading fonttools-4.39.4-py3-none-any.whl (1.0 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.0/1.0 MB 10.4 MB/s eta 0:00:00
Collecting kiwisolver>=1.0.1 (from matplotlib)
Downloading kiwisolver-1.4.4-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (1.4 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.4/1.4 MB 10.8 MB/s eta 0:00:00
Collecting numpy>=1.21 (from matplotlib)
Downloading https://pypi.anaconda.org/scipy-wheels-nightly/simple/numpy/1.25.0.dev0%2B1465.g126b46c7a/numpy-1.25.0.dev0%2B1465.g126b46c7a-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (17.6 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 17.6/17.6 MB 11.2 MB/s eta 0:00:00
Collecting packaging>=20.0 (from matplotlib)
Downloading packaging-23.1-py3-none-any.whl (48 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 48.9/48.9 kB 23.1 MB/s eta 0:00:00
Collecting pillow>=6.2.0 (from matplotlib)
Downloading Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl (3.4 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.4/3.4 MB 11.2 MB/s eta 0:00:00
Collecting pyparsing>=2.3.1 (from matplotlib)
Downloading pyparsing-3.1.0b2-py3-none-any.whl (102 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 102.6/102.6 kB 13.5 MB/s eta 0:00:00
Collecting python-dateutil>=2.7 (from matplotlib)
Downloading python_dateutil-2.8.2-py2.py3-none-any.whl (247 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 247.7/247.7 kB 11.6 MB/s eta 0:00:00
Collecting six>=1.5 (from python-dateutil>=2.7->matplotlib)
Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
Installing collected packages: six, pyparsing, pillow, packaging, numpy, kiwisolver, fonttools, cycler, python-dateutil, contourpy, matplotlib
Successfully installed contourpy-1.0.7 cycler-0.11.0 fonttools-4.39.4 kiwisolver-1.4.4 matplotlib-3.8.0.dev1132+g39cdf5d9ba numpy-1.25.0.dev0+1465.g126b46c7a packaging-23.1 pillow-9.5.0 pyparsing-3.1.0b2 python-dateutil-2.8.2 six-1.16.0
(venv) root@f1656f46567f:/# python -m pip list
Package Version
--------------- ---------------------------
contourpy 1.0.7
cycler 0.11.0
fonttools 4.39.4
kiwisolver 1.4.4
matplotlib 3.8.0.dev1132+g39cdf5d9ba
numpy 1.25.0.dev0+1465.g126b46c7a
packaging 23.1
Pillow 9.5.0
pip 23.1.2
pyparsing 3.1.0b2
python-dateutil 2.8.2
setuptools 67.8.0
six 1.16.0
wheel 0.40.0
(venv) root@f1656f46567f:/#To be totally clear, this in most cases have the exact same effect as if
python -m pip install \
--extra-index-url https://pypi.anaconda.org/scipy-wheels-nightly/simple \
--upgrade \
--pre \
matplotlib
had been used and the security benefits of doing this that would have safeguarded PyTorch from being namesquatted on PyPI in 2022 don't really come into play here as it is (reasonably) assumed the maintainers who are using these nightly package indexes own and control the package namespaces on both https://pypi.org and https://pypi.anaconda.org/scientific-python-nightly-wheels/. However, I would argue that just seeing this kind of pattern out in the world more is a best practice for safeguarding people and for that reason alone it would be good to adopt.