pip to chose packages from a private index over PyPi even on name conflicts?

Question

I have set up a devpi server to host my own Python modules. I would like to use pip to install them and for pip to install in preference my modules, not those in PyPi.

So far, I have this:

[global]
timeout = 60
index-url = http://devpi.example.org/root/public/+simple/
trusted-host = devpi.example.org
extra-index-url = http://devpi.example.org/root/pypi/+simple/

Which works fine as long as there is no name conflict. If there is, the highest version wins which is not what I want.

I really do not wish to register empty projects on PyPi just to have the names reserved.

Is there any way to get what I want?

You should delegate package resolution to `devpi`: use a single index that inherits from `root/pypi`. `devpi` will then install packages from PyPI if they are not found on local index, acting like a PyPI proxy. However, if the package is provided by your local index, `devpi` will use it regardless of what version is available on PyPI. This is the protection against package spoofing and is turned on by default. — hoefling, Jan 10 '19 at 17:48

score 3 · Accepted Answer · answered Jan 11 '19 at 10:22

Modified my ~/.config/pip/pip.conf like so:

[global]
timeout = 60
trusted-host = devpi.example.org
index-url = http://devpi.example.org/root/public/+simple/

and made sure that the /root/public inherited from /root/pypi like so:

devpi use http://devpi.example.org/
devpi use http://devpi.example.org/root/public --set-cfg
devpi login root --password="MyS3kre7Pwd"
devpi index /root/public bases=root/pypi  # ← vital command.

Running:

devpi list mead --all

gives me what I wanted:

http://devpi.example.org/root/public/+f/d12/59ed3e5cf01ca/mead-0.4.0.dev1.tar.gz
http://devpi.example.org/root/public/+f/046/0f3dee895eb46/mead-0.4.0.dev0.tar.gz
http://devpi.example.org/root/pypi/+f/978/98e728d01b4d3/mead-0.0.11.tar.gz    
http://devpi.example.org/root/pypi/+f/45d/b104905aeabc2/mead-0.0.10.tar.gz    
http://devpi.example.org/root/pypi/+f/da0/c1b3bf979ca6a/mead-0.0.9.tar.gz     
http://devpi.example.org/root/pypi/+f/49c/770889ecd3c7a/mead-0.0.8.tar.gz     
http://devpi.example.org/root/pypi/+f/12d/10190b47367e8/mead-0.0.7.tar.gz     
http://devpi.example.org/root/pypi/+f/34a/6dd6cd6c52c67/mead-0.0.6.tar.gz     
http://devpi.example.org/root/pypi/+f/ba8/0cd76854e2253/mead-0.0.5.tar.gz     
http://devpi.example.org/root/pypi/+f/1d7/6c5dd5229333b/mead-0.0.4.tar.gz     
http://devpi.example.org/root/pypi/+f/47d/208d9cba5ea4e/mead-0.0.3.tar.gz     
http://devpi.example.org/root/pypi/+f/20a/e16978e840e38/mead-0.0.2.tar.gz

Nice, this is exactly what I meant with _use a single index that inherits from `root/pypi`_. Now packages not found on `root/public` will be pulled from PyPI and packages on PyPI will be ignored if you have registered a single package version on the local index. — hoefling, Jan 11 '19 at 10:44
@hoefling Thank you for your comment and time to read my ramblings. — Sardathrion - against SE abuse, Jan 11 '19 at 11:42

pip to chose packages from a private index over PyPi even on name conflicts?

1 Answers1