search

astral-sh / uv

An extremely fast Python package and project manager, written in Rust.
https://docs.astral.sh/uv
Apache License 2.0
23.34k stars 670 forks source link

Private repository as a source #6421

Open NevoleMarek opened 1 month ago

NevoleMarek commented 1 month ago

Hi, I d'like to transition from poetry to uv. What I am missing is a way of using private repositories as source for packages.

Poetry allows to add private repositories like so:

poetry source add --priority=supplemental foo https://pypi.example.org/simple/

and then to install package from the repository like so:

poetry add --source foo private-package

Can this be sensibly done using uv?

I guess it could somehow be done via HTTP URLs but that seems a bit cumbersome.

charliermarsh commented 1 month ago

So, today, you would do something like this in your pyproject.toml:

[tool.uv]
extra-index-url = ["https://pypi.example.org/simple/"]

uv will then look in https://pypi.example.org/simple/ before looking in PyPI, and if a package exists on that index, it won't check PyPI at all.

We'll likely add a more granular index API in the future that looks more like what you get in Poetry, PDM, or Rye.

charliermarsh commented 1 month ago

If you want to replace PyPI entirely, you can do:

[tool.uv]
index-url = "https://pypi.example.org/simple/"
charliermarsh commented 1 month ago

Alternatively, you can define these globally in ~/.config/uv/uv.toml:

extra-index-url = ["https://pypi.example.org/simple/"]
NevoleMarek commented 1 month ago

Thanks for the response

I guess the setting extra-index-url with index-strategy = "first-index" will do for now.

Looking forward to more granular API in the future.

One thing I would like to prevent via the future API is dependency confusion attacks.

charliermarsh commented 1 month ago

Makes sense. Our default strategy is more resilient to such attacks than pip (since, if a package exists on your index, we won't even look at PyPI, even if a more recent version is available there), but we do want to add an API that allows for explicit package-to-index assignments.

rafalkrupinski commented 1 month ago

Regarding private source repository, is there a way to provide credentials?

NevoleMarek commented 1 month ago

The simplest way would be to add the private source repo as extra-index-url already with the credentials as follows:

[tool.uv]
extra-index-url = ["https://<username>:<password>@<index_url>"]

But as you can imagine this not the safest option. A bit more cumbersome but viable option is to specify the index and credentials with the uv add command and environment variables.

uv add package --extra-index-url https://${USERNAME}:${PASSWORD}@<index_url>

What I would like to see in the future is something similar to Poetry's way of doing this.

In addition to simple addition of sources they also provide the following way to add credentials to the sources.

poetry config http-basic.your_index <username> <password> find more here

There are other options that uv recommends for http authentication but they are not the simplest either or maybe I am missing something

rafalkrupinski commented 1 month ago

@NevoleMarek thanks, I'll check it out!

zanieb commented 1 month ago

See also:

rafalkrupinski commented 1 month ago

Actually I like the idea of using keyring and KWallet integration. Way better than storing passwords in open text.

yohann84L commented 2 weeks ago

Still no alternative to the poetry config http-basic.your_index <username> <password> ?