Describe dependency confusion mitigations in "Secure installs" docs

[di]

What's the problem this feature will solve?

The docs at https://pip.pypa.io/en/stable/topics/secure-installs/ do not describe how to avoid dependency confusion attacks that can arise when using --extra-index-url (as described in #8606).

Describe the solution you'd like

The docs at https://pip.pypa.io/en/stable/topics/secure-installs/ should describe how to avoid dependency confusion attacks (e.g., don't use --extra-index-url, use --index-url instead, or --find-links combined with --no-index)

Alternative Solutions

One alternative is to resolve #8606 or deprecate/remove --extra-index-url instead. Without stating an opinion on whether either of those should happen, I think we should document this in the short term regardless.

Additional context

#11694 is related, but is about adding this to the --extra-index-url docs instead. IMO, we should do both (likely link to one from the other).

Happy to work on this if it's agreed this is worthwhile!

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[fabiobarkoski]

Can I try to work on this issue?

[pradyunsg]

Sure, please feel welcome to!

[fabiobarkoski]

Thanks! Maybe I will need some help :)

[pradyunsg]

Please feel free to ask questions here!

[fabiobarkoski]

Do I need to create a news entry after made the pull request?

[pradyunsg]

No, you can create it manually prior to filing a PR.

[fabiobarkoski]

Ok, and the PR will go after the news or with the news?

[pradyunsg]

With the news