index-url extra-index-url install priority order

[lypwig]

This is totally related to #5045, but I can not comment on it.

For me this should be re-opened, because it's a security issue.

I provide the package xxx to the private repository my-company.com. Then I gives installation instructions to collaborators, configure CI to install this package, etc.

The problem is if someone add a package with the same name on pypi.org, then users and CI will get this package instead of mine, which is bad: and I want to be sure that the installation will not change.

It's not about naming package: if I name my packe my_company.xxx, a malicious user could chose the exact same name and publish it to pypi, letting my collaborators installing a malware instead of my package.