Explore key concepts around configuring pip to access private package indexes securely, including authentication, index prioritization, and configuration strategies. This quiz helps users reinforce essential practices needed for working with private repositories in contemporary Python package management workflows.
Which pip command-line option allows you to specify a custom, private package index URL when installing a package?
Explanation: The --index-url option in pip is used to specify a custom package index URL, such as for a private repository. --private-repo and --extra-package-url are not recognized pip options and will result in an error if used. --repository-url is not an accepted command-line option in pip installs; only --index-url is correct in this context.
If you want pip to use both the official index and your private index, but prioritize the private one, which combination of options should you use?
Explanation: To prioritize a private index while still allowing fallback to the official index, --index-url should point to the private index, and --extra-index-url can point to the official index. --trusted-host is for SSL verification, not index priority. --repository-url and --add-index are not valid pip options, and --pre only controls pre-release versions.
When a private package index requires authentication, what is the recommended way to supply credentials for pip installs to minimize security risks?
Explanation: Environment variables are a secure method for managing sensitive credentials and reduce the risk of accidental exposure. Hardcoding credentials in URLs or in requirements files poses a substantial security risk as these files might be shared or logged. Storing credentials in a temporary public file is inherently unsafe for secure data.
Which configuration file can you edit to set a default private index URL for all pip commands on a system-wide basis?
Explanation: pip.conf is the configuration file designed for global or user-specific pip settings, including the default index URL. pyproject.toml and setup.py are for package build and distribution metadata, not for pip configuration. requirements.yaml is not a recognized configuration file by pip.
If your private index uses an internal SSL certificate and pip reports SSL verification errors, which option allows you to bypass these errors during package installation?
Explanation: The --trusted-host option lets you specify the hostname you trust, thereby bypassing strict SSL verification and resolving certificate errors. --skip-ssl, --no-security-check, and --unsafe-host are not valid pip options and will not address SSL issues. Proper use of --trusted-host is necessary for situations with self-signed or internal certificates.