Another possible "fundable": Many organizations maintain internal package repositories for libraries that are not publicly shared. This has led to "dependency confusion" attacks, where researchers or malicious actors register a package of the same name in the public (pypi) repository with a higher version number than what the organization publishes internally, causing the pip resolver to select that (malicious) package during package resolution.
While pip does offer other mechanisms to mitigate this attack (hashes and URL-based references being the two that come to mind), those mechanisms do have downsides (hashes still require trust-on-first-use, and URL-based references can be difficult to maintain for larger organizations operating multiple enclaves/private repositories). I'd love to see pip introduce a mechanism allowing users to specify specifically which repository to use for designated packages, vice the current mechanism of querying all configured repositories for the requested packages.
Another possible "fundable": Many organizations maintain internal package repositories for libraries that are not publicly shared. This has led to "dependency confusion" attacks, where researchers or malicious actors register a package of the same name in the public (pypi) repository with a higher version number than what the organization publishes internally, causing the pip resolver to select that (malicious) package during package resolution.
While pip does offer other mechanisms to mitigate this attack (hashes and URL-based references being the two that come to mind), those mechanisms do have downsides (hashes still require trust-on-first-use, and URL-based references can be difficult to maintain for larger organizations operating multiple enclaves/private repositories). I'd love to see pip introduce a mechanism allowing users to specify specifically which repository to use for designated packages, vice the current mechanism of querying all configured repositories for the requested packages.