How to add a package-specific index-url to requirements.txt?

Question

I want to add a package to my requirements.txt that would correspond to the command line

pip3 install foo --index-url https://foo.com/bar/baz

I appended

--index-url https://foo.com/bar/baz
foo

to the end of requirements.txt in the hope that the index-url option will affect only things that come after it. It seems to work (at least as long as I am on the VPN from which foo.com is visible).

Is this the right approach? Thanks.

Answer 1

The arguments in requirements.txt are applied to all packages; the command

$ pip install -r requirements.txt

with requirements.txt being

foo
bar>1
baz==2
--flag

is effectively the same as running

$ pip install "foo" "bar>1" "baz==2" --flag

If you want to download only a selection of dependencies from your private index, use --extra-index-url instead of --index-url. This will instruct pip to download packages from PyPI if available, and resort to your private index otherwise (multiple --extra-index-urls are supported, too).

To handle the vice versa - download from private index if available, fallback to PyPI - set your private index as primary, PyPI as extra index:

--index-url=https://my.index/ --extra-index-url=https://pypi.org/simple

If you have other use cases, for example protection against package spoofing, this can't be effectively solved with pip. There are, however, index servers like devpi that can proxy download requests to PyPI and offer spoofing protection out of the box.

Edit: @Geordie explained package spoofing in his comment well.