Poetry V2: Change ONLY_BINARY/NO_BINARY implementation so that you can ONLY_BINARY=:all: NO_BINARY=one_package

[willh-cmyk]

Issue Kind

Change in current behaviour

Description

Hi, when using pip, you can use only_binary and no_binary interchangeably as part of the same configuration.

For example, when running pip install -r requirements --only-binary=:all: --no-binary=numpy all packages in my requirements file will be installed using binaries, with the exception of numpy.

I want to be able to specify something similar to installer.only-binary=:all: installer.no-binary=package1.

Impact

This is to mitigate against possible supply chain attacks, whereby a malicious developer has provided a malicious sdist for one of the packages we use, and released it as a new version of a package we use, but hasn't provided a binary, enabling arbitrary code execution to be run when the malicious package is built from source.

The reason for providing exceptions, is that there are some packages/dependencies we have to use, which never include binaries in their releases, but we want those to be the exceptions rather than the rule.

Workarounds

The only way I can see of achieving this functionality currently, is to provide a really long list of packages (except the one you want to build from source) to the POETRY_INSTALLER_ONLY_BINARY environment variable. Which isn't practical, and is difficult to maintain.

[dimbleby]

code is here, simplest way to make a proposal is likely by making a pull request

[yokomotod]

+1. I submitted a PR.

@dimbleby Thank you for pointing out the location in the code, it was very helpful

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.