Warn against using pip with test.pypi.org #1500
Labels
Comments
mechsin
changed the title
mechsin
changed the title
chrysle
added
type: task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
I had filed a issue over on the packaging-problems project, and as part of resolving that @sinoroc request that I file a documentation issue over here.
Looking specifically at the guidance on the URL below.
https://packaging.python.org/en/latest/guides/using-testpypi/#using-testpypi-with-pip
This section advocates that users test downloading there package from test.pypi.org using pip and the
--index-urlargument. @sinoroc pointed out that if your package pulls dependencies that it might pull unsavory packages typo squatting on test.pypi.org.@sinoroc indicated that test.pypi.org should not be used for testing pip. As a novice package publisher, this is my first public packaage, I would differ to the PyPa community, but I see @sinoroc point.
Depending on the community opinion I would suggest at minimum adding a warning that downloading from test.pypi.org could be hazardous for your health with some reasoning. Or if community agreement is unanimous that this is not an approve use of PyPi you could omit the section completely although it is probably best to keep the section but to just reduce it to a strongly worded warning that using pip against test.pypi.org is not advised again with some reasoning.
This is the original ticket for reference of the original conversation packaging problems #725
The text was updated successfully, but these errors were encountered: