Better handling of repositories - abstract away repository config from pyproject.toml and poetry.lock

[jonathanunderwood]

• I have searched the issues of this repo and believe that this is not a duplicate.
• I have searched the documentation and believe that my question is not covered.

Feature Request

Consider this use case:

• I am developing an application in an environment where I have a local mirror of PyPi, and I am using Poetry to manage my dependencies and packaging
• For my local development I want to use my locally available PyPi mirror, and in fact, access to public PyPi is blocked
• But, I want to publish my code on a public forge e.g. Github for others to collaborate on

So, for my local development I add code like this to pyproject.toml:

[[tool.poetry.source]]
name = "foo"
url = "https://foo.bar/simple/"
default = true

That's fine and good for my local development needs. But, now when I publish the project the pyproject.toml will refer to a primary repository foo that other developers don't have access to, and the poetry.lock file also has multiple references to this foo repository:

[[package]]
name = "alembic"
version = "1.4.3"
description = "A database migration tool for SQLAlchemy."
category = "main"
optional = false
python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"

[package.dependencies]
Mako = "*"
python-dateutil = "*"
python-editor = ">=0.3"
SQLAlchemy = ">=1.1.0"

[package.source]
type = "legacy"
url = "https://foo.bar/simple/"
reference = "foo"

This is not very helpful for other developers and collaboration, as the first thing other collaborators have to do is remove (or do a big search/replace on) the poetry.lock file, and remove the foo repo from pyrpoject.toml.

These are all symptoms of the fact that Poetry makes no distinction between where a package comes from, and what packages are needed as dependencies.

Far more helpful would be to have a separate configuration file telling poetry what repositories should be used for dependency resolution, and for pyproject.toml and poetry.lock to only contain details on what the dependencies are (package name, and hash for poetry.lock). Say repositories.toml.

It would also be helpful if it was possible to set the repository configuration globally as well as per project (i.e. a global config file, overridden by a per project config file if present).

[sinoroc]

Yes, I believe such a feature is vital. It has been suggested or hinted by multiple people already that there is need for that. Not sure if there is a concrete feature request ticket yet.

I'd like to link to this discussion that also provides great background feedback on the topic (although the premise of the disscussion may seem a bit unrelated): https://discuss.python.org/t/dependency-notation-including-the-index-url/5659

[halfdan]

I am currently running into the same issue. I'm on a corporate laptop where the central PyPi is blocked and I have to use a local mirror. For developing on my machine it's fine if I add the repo with default = true to pyproject.toml but I wish there was a way to reconfigure the default repository globally.

[PeterSulcs]

With pip we configure the PyPI mirrors once and then can forget about it on individual projects. Not having a way to configure default poetry sources at a global level means I have to think about it for each and every project and as mentioned above it imposes my dev config on all collaborators.

[neersighted]

Duplicate #5958 as it has more discussion.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.