Possible move tool.poetry.source entries to global instead of pyproject

[heliocastro]

Besides appreciated move the registries to a source entry in pyproject, the current approach can fall in this such inconvenience:

• Company A allows only to use internal registry
• Developer add source A.secretcompany.com
• Developer publish the code as open source, therefore the mention to A.secretcompany.com reference is in the pyproject filr

If company B will contribute to the project, first try to install using poetry. it will:

• Fail because the source registry is not visible
• If the register source is visible, situation complicates, that can be behind authentication, and endpoint can be hammered
• If the register is even open, we can be caught in a security risk of both sides, o at minimal a compliance risk

Would be transfer the custom register sources to a global location a better possibility or i am missing some intermediary step ?

[radoering]

The source of each package is stored in the lockfile. Even if we allowed global sources, a lockfile would only be valid for company A or company B if they use different sources. To make this possible, we also had to change the locking mechanism so that only the name and not the url of a source would be locked. Probably not impossible (if there is consensus that we want that), but some effort someone has to be willing to put in. Moreover, during the implementation it may turn out there are further blockers, I haven't considered yet.

[heliocastro]

Thanks for quick jump in.

Is more or less cosmetic some would say, but the fact that we can commit and expose internal urls can be sometime worrisome.

I'm raised the topic because i'm doing the an entire compliance tooling pipeline inside our company, which restrict access to external internet, and our endpoints are always internal registries ( i.e. artifactory ), ending up that our developed applications have the source "baked" on the pyproject,

[clintonroy]

Our work repositories are indeed private, and not available to the outside world, publishing their urls would not increase risk at all. There's a reason that we try really hard not to put any security details in pyproject.toml

[heliocastro]

If not accessible from outside it's ok, but still, there's the moment where you commit myartifactoty.internal url and this become aware to malicious actors that now knows we have an internal site with this name.
I can't guaranteed that this can be accessed from sideways in case of a breach.
Just to acknowledge the existence can be a target factor unfortunately.