--extra-index-url failing when package not in --index-url (polygraphy 0.47.1) #1600

kafonek · 2024-02-17T16:53:53Z

polygraphy==0.47.1 is present on the nvidia package index but not regular PyPI. On uv 0.1.3, I can uv pip install polygraphy==0.47.1 --index-url https://pypi.ngc.nvidia.com but not uv pip install polygraphy==0.47.1 --extra-index-url https://pypi.ngc.nvidia.com.

I realize this is very similar to #1377 but the discussion in that ticket seemed to be more about priority of indices to install from than an absence of checking the extra index url.

Verbose output below -

❯ uv pip install polygraphy==0.47.1 --extra-index-url https://pypi.ngc.nvidia.com -v
 uv::requirements::from_source source=polygraphy==0.47.1
    0.006585s DEBUG uv_interpreter::virtual_env Found a virtualenv named .venv at: /home/kafonek/scratch/.venv
    0.006640s DEBUG uv_interpreter::interpreter Detecting markers for: /home/kafonek/scratch/.venv/bin/python
    0.032748s DEBUG uv::commands::pip_install Using Python 3.10.12 environment at /home/kafonek/scratch/.venv/bin/python
 uv_client::flat_index::from_entries
 uv_resolver::resolver::solve
      0.039637s   0ms DEBUG uv_resolver::resolver Solving with target Python version 3.10.12
   uv_resolver::resolver::choose_version package=root
   uv_resolver::resolver::get_dependencies package=root, version=0a0.dev0
        0.039680s   0ms DEBUG uv_resolver::resolver Adding direct dependency: polygraphy==0.47.1
   uv_resolver::resolver::choose_version package=polygraphy
     uv_resolver::resolver::package_wait package_name=polygraphy
 uv_resolver::resolver::process_request request=Versions polygraphy
   uv_client::registry_client::simple_api package=polygraphy
     uv_client::cached_client::get_cacheable
       uv_client::cached_client::read_and_parse_cache file=/home/kafonek/.cache/uv/simple-v0/pypi/polygraphy.rkyv
 uv_resolver::resolver::process_request request=Prefetch polygraphy ==0.47.1
          0.045662s   5ms  WARN uv_client::cached_client Broken cache entry at /home/kafonek/.cache/uv/simple-v0/pypi/polygraphy.rkyv, removing: failed to open file `/home/kafonek/.cache/uv/simple-v0/pypi/polygraphy.rkyv`
          0.045932s   6ms DEBUG uv_client::cached_client No cache entry for: https://pypi.org/simple/polygraphy/
       uv_client::cached_client::fresh_request url="https://pypi.org/simple/polygraphy/"
       uv_client::cached_client::new_cache file=/home/kafonek/.cache/uv/simple-v0/pypi/polygraphy.rkyv
       uv_client::registry_client::parse_simple_api package=polygraphy
 uv_resolver::version_map::from_metadata
        0.093293s  53ms DEBUG uv_resolver::resolver Searching for a compatible version of polygraphy (==0.47.1)
      0.093341s  53ms DEBUG uv_resolver::resolver No compatible version found for: polygraphy
  × No solution found when resolving dependencies:
  ╰─▶ Because there is no version of polygraphy==0.47.1 and you require polygraphy==0.47.1, we can conclude that the requirements are unsatisfiable.

The text was updated successfully, but these errors were encountered:

exs-avianello · 2024-02-17T21:06:13Z

I think that this is the same as observed in #1451

kafonek · 2024-02-17T21:46:24Z

Ah, I glanced at your ticket and ducked out after seeing the timeout. I think you're right that it's the same thing. At least this is another example to test with.

Previously, we would prioritize `--index-url` over all `--extra-index-url` values. But now, we prioritize all `--extra-index-url` values over `--index-url`. That is, `--index-url` has gone from the "primary" index to the "fallback" index. In most setups, `--index-url` is left as its default value, which is PyPI. The ordering of `--extra-index-url` with respect to one another remains the same. That is, in `--extra-index-url foo --extra-index-url bar`, `foo` will be tried before `bar`. Finally, note that this specifically does not match `pip`'s behavior. `pip` will attempt to look at versions of a package from all indexes in which in occurs. `uv` will stop looking for versions of a package once it finds it in an index. That is, for any given package, `uv` will only utilize versions of it from a single index. Ref #171, Fixes #1377, Fixes #1451, Fixes #1600

Previously, `uv` would always prioritize the index given by `--index-url`. It would then try any indexes after that given by zero or more `--extra-index-url` flags. This differed from `pip` in that any priority was given at all, where `pip` doesn't guarantee any priority ordering of indexes. We could go in the direction of mimicing `pip`'s behavior here, but it at present has issues with dependency confusion attacks where packages may get installed from indexes you don't control. More specifically, there is an issue of different trust levels. See discussion in #171 and [PEP-0708] for more on the security impact. In contrast, `uv` will only select versions for a package from a single index. That is, even if `foo` is in indexes `a` and `b`, it will only consider the versions from the index that it checks first. This probably helps with respect to dependency confusion attacks, but also means that `uv` doesn't quite cover all of the same use cases as `pip`. In this PR, we retain the notion of prioritizing indexes, but tweak it so that PyPI is preferred last as opposed to first. Or more precisely, the `--index-url` flag specifies a fallback index, not the primary index, and is deprioritized beneath every index specified by `--extra-index-url`. The ordering among indexes given by `--extra-index-url` remains the same: earlier indexes are prioritized over later indexes. While this tweak likely won't hit all use cases, I believe it will resolve some of the most common pain points without exacerbating dependency confusion problems. Ref #171, Fixes #1377, Fixes #1451, Fixes #1600 [PEP-0708]: https://peps.python.org/pep-0708/

zanieb added bug Something isn't working registry Related to package indexes and registries labels Feb 17, 2024

kafonek closed this as completed Feb 17, 2024

kafonek mentioned this issue Feb 17, 2024

uv pip install for package works from --index-url but not from --extra-index-url #1451

Closed

zanieb added the duplicate This issue or pull request already exists label Feb 18, 2024

zanieb closed this as not planned Won't fix, can't repro, duplicate, stale Feb 18, 2024

BurntSushi mentioned this issue Feb 29, 2024

Add support for pinning a package to a specific index #171

Open

BurntSushi mentioned this issue Feb 29, 2024

tweak the order of index priority #2083

Merged

BurntSushi closed this as completed in #2083 Feb 29, 2024

This was referenced Mar 4, 2024

Can't find public pypi package when using extra-index-url #2159

Closed

Installing packages from multiple indexes fails if the desired versions are not found from the first index where the package is available. #2205

Closed

charliermarsh mentioned this issue Mar 19, 2024

wheel on pypi.org not found when using --extra-index-url that includes non-compatible wheels #2542

Closed

zanieb mentioned this issue Mar 28, 2024

uv pip install a wheel with extra index url doesn't resolve, normal pip works in fresh env #2718

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

--extra-index-url failing when package not in --index-url (polygraphy 0.47.1) #1600

--extra-index-url failing when package not in --index-url (polygraphy 0.47.1) #1600

kafonek commented Feb 17, 2024

exs-avianello commented Feb 17, 2024

kafonek commented Feb 17, 2024

--extra-index-url failing when package not in --index-url (polygraphy 0.47.1) #1600

--extra-index-url failing when package not in --index-url (polygraphy 0.47.1) #1600

Comments

kafonek commented Feb 17, 2024

exs-avianello commented Feb 17, 2024

kafonek commented Feb 17, 2024