Recommendation for private package index

[dimaqq]

Hi packaging team,

Our use case, which I think is relatively common:

• we write Python backend code (app)
• we write some libraries as needed, each in own git repo (github, gitlab, ...)
• some of these we publish, some remain private
• our app depends on mix of public and private libraries

An overview of what private pypi software is available would be most welcome on packaging.python.org or related web site. Likewise, recommendation on how to reference private packages in common formats (requirements.txt, setup.py, pipenv, poetry, ...). Same for a recommendation how to provide for machine logins during dev/build/prod. If there is a reliable SaaS pypi, I'd love to know about that too!

We use pypicloud and the experience is bad-but-workable.

For example, pipenv version resolution becomes very slow (enough to go get a coffee); while pip install -r requirements.txt is quite OK.

Because some of our packages are private, we have to order private pypi ahead of public pypi (lest someone namesquats our private package name in public pypi and we pull in a turd). This, in my current setup, has the effect of proxying all the public packages we've ever used (which could be a good thing is a public package or version is pulled).

[ncoghlan]

There's a basic guide here: https://packaging.python.org/guides/index-mirrors-and-caches/

However, it could stand to be expanded and improved, as it was mainly put together to hold the "Use devpi" recommendation, and doesn't consider all the alternatives that are available (including the multi-language ones like Artifactory)

[pradyunsg]

@ncoghlan I think we probably should probably try to improve discoverability of this information. Googling "python private package index" shows as 2nd result: https://packaging.python.org/guides/hosting-your-own-index/

I feel a more approachable name for the two guides, along with cross-linking between them would help the situation here.