Hello all,

The situation

Currently, there is no easy way to override the default PyPI index URL to use a URL pointed at a mirror. In corporate environments, requiring developers to use a repository mirror is quite common:

1. Corporate firewalls prohibit access to external software repositories.
2. Internal repository mirrors conduct malware and vulnerability analysis, which can be a compliance requirement.
3. Internal mirrors preserve modules that might later be unavailable upstream (due to outage, deletion, etc), which is necessary to ensure the availability and auditability of modules used within the company's environment.

Unfortunately, this doesn't appear to be easily accommodated by pipenv. Although the mirror could be explicitly added to the Pipfile as the source for these packages, this breaks portability.

1. Projects initialized internally will contain unreachable indexes if published externally. Users of the public version will have to modify the Pipfile prior to installing the module's dependencies.
2. Projects initialized externally will not work internally without modification of the Pipfile. These modifications must be maintained locally (but not shared), and reapplied if the Pipfile changes upstream.

There should be a way to override the location of the PyPI index, by specifying a (true) mirror. This would only be applicable to PyPI, and not to other third-party repositories (these would still be specified explicitly in the Pipfile).

General proposal

Docker accommodates this situation by allowing the user tospecify a registry mirror in the daemon's configuration file. Likewise, it'd be great if the pipenv user could specify a (true) mirror for PyPI, via an environment variable, configuration file, or command line parameter. If this value is set, pipenv should use the mirror for all PyPI packages, even if a connection to PyPI is available. In some corporate environments, PyPI remains unblocked, but policy dictates that the mirror is used for the other reasons mentioned above.

Implementation considerations

1. Pip already allows users to override the default index url through pip's configuration file. Although this would likely be the most obvious source of the internal mirror's url (and would likely be set for these users), this parameter can be used for repositories that aren't true mirrors. Accordingly, it's probably unsuitable for this purpose.
2. For modules whose dependencies are all available on PyPI, it's my understanding that the explicit source can be removed from the Pipfile, and pip's default will be used. Unfortunately, this does not apply to projects with modules outside of PyPI. Furthermore, since the Pipfile generation process is explicit by default, many existing projects would have to modify their qualifying Pipfiles to accommodate this pattern by removing the default index url.
3. If an environment variable is set as a source in the Pipfile, the variable could be optionally set to provide a mirror. Unfortunately, this requires existing projects to modify their Pipfiles to accommodate this pattern, which is not ideal.
4. If an environment variable, command line parameter, or configuration setting is used to override the PyPI index url with a (true) mirror, how would the override work? Would it assume the mirror's index should be specified in all calls to pip which would otherwise use the PyPI index? Would it require a change to existing Pipfiles? Would it require redefining how sources are specified, including an overrideable PyPI default? Something else?

Related discussion
#1451
#1783

This has been discussed in #python and #pypa on Freenode. After some constructive back-and-forth, it was decided that it'd be helpful to open an issue here for discussion. I appreciate everyone's effort towards resolving this issue.