pool: ensure sources are prioritised over PyPI

[abn]

When a project specifies non default sources, PyPI gets added as the
default source. This will prioritise packages available in PyPI when
the package exists in both index. This change ensures that PyPI is
only used as a default when no other sources are provided.

Resolves: #1677 #2564 #3238

[intgr]

Note that this caused a regression in our use case, we had configured a custom source in [[tool.poetry.source]], but the certificate was not trusted. Since 1.1.3 did not use the configured source, it worked, but 1.1.4 started failing by surprise.

It's not a big deal, but on the other hand, we would prefer not to have ugly surprises in patch level updates.

Maybe such behavior-changing fixes should not go into patch-level releases?

[sinoroc]

@intgr
@tomzx contributed a possible fix here: #3406
Would you mind testing it if you get a chance?

[abn]

Note that this caused a regression in our use case, we had configured a custom source in [[tool.poetry.source]], but the certificate was not trusted. Since 1.1.3 did not use the configured source, it worked, but 1.1.4 started failing by surprise.

It's not a big deal, but on the other hand, we would prefer not to have ugly surprises in patch level updates.

Maybe such behavior-changing fixes should not go into patch-level releases?

@intgr One thing to note here is that this was a bug fix to what became expected behaviour with 1.1.0 - ie. how various repository sources configured were handled. This was expected to keep priorities as described in the documentation, however this was not the case.

That said, I can also appreciate that how this is viewed can be subjective, Definitely, not intentional to cause surprises in patch releases and not something we want to make a habbit of either.

[github-actions]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.