poetry not respecting index-url in pip.conf

[thehesiod]

• I am on the latest Poetry version.

• I have searched the issues of this repo and believe that this is not a duplicate.

• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• OS version and name:OSX 10.15.1

• Poetry version: 1.0.0b0

Issue

we have a pip.conf file like the following:

[global]
timeout = 20
index-url = https://pypi.fbn.org/simple

if you run pip install numpy, you're restricted to the versions on our server as expected:

Looking in indexes: https://pypi.fbn.org/simple
Collecting numpy
  Downloading https://repo-fbn-org.s3.amazonaws.com/pypi/2a3e/numpy/numpy-1.16.5....

running the same command from poetry:

poetry add numpy
Using version ^1.17.3 for numpy

so its going out to pypi.org instead of our repo.

[finswimmer]

Hello,

you have to tell poetry to use your private repo: See https://poetry.eustace.io/docs/repositories/

[thehesiod]

poetry can use our private repo, but it want it to ONLY pull from our private repo

[rgmz]

poetry can use our private repo, but it want it to ONLY pull from our private repo

👍 – this is a common pattern for enterprises.

e.g. I do not have access to pypi.org, and requests to it hang indefinitley.

[sdispater]

If you use the latest 1.0.0 prerelease, you can tell Poetry to only use a private index, see #908 and https://github.com/sdispater/poetry/blob/master/docs/docs/repositories.md#disabling-the-pypi-repository

[thehesiod]

ooo, will try!

[thehesiod]

seems to work, however I'm guessing it should still obey pip.conf long term no?

[sdispater]

@thehesiod The fact that Poetry is using pip internally is an implementation detail and, as such, it only understands its own configuration files. So it's unlikely that Poetry will ever use the pip.conf file.

[jhbuhrman]

@thehesiod The fact that Poetry is using pip internally is an implementation detail and, as such, it only understands its own configuration files. So it's unlikely that Poetry will ever use the pip.conf file.

@sdispater The problem is that in using pip, poetry implicitly does make use of the pip config (for example during poetry install, IIRC), but during poetry add, it does not. This on itself seems inconsistent to me... (this is all from memory, I checked it a few months ago)

In order to get rid of that inconsistency, and you still want to (or have to) use pip, I think you should instruct pip to fully ignore whatever config is present and let it get its config provided by poetry (if that is possible at all).

But then it becomes even more important that a user can configure poetry on per-user basis and/or system-wide for the nexus-like index url and trusted host setting, ref. #1632 and #1070.

[RoelantStegmann]

Agree that we would need a systemwide setting so we prevent some information to reside on our repositories...

[feisuzhu]

@thehesiod The fact that Poetry is using pip internally is an implementation detail and, as such, it only understands its own configuration files. So it's unlikely that Poetry will ever use the pip.conf file.

IMHO, 'pip is an implementation detail' is orthogonal to 'we should try to parse pip.conf', even if we end up not using any parts of pip, respecting pip.conf is still a thing worth to consider.

[TiansuYu]

Have a company wide pip.conf setting is very common for enterprises. This config file serves not only for pip, pipx and many other tools as well. This has nothing to do with "pip as an implementation detail" (I have heard that too many times, as an excuse to not connect A with B, instead, an design way too complicated.)

This also resolves a lot of manual overhead for setting repos for each project. As most of the time, I would expect my machine access and only access repoX and repoY. And setting pip.conf would be suffice once and for all. If I want an escape for a project, then these project specific Poetry repo settings could kick in.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.