Inconsistent documentation: "setenv" is not supported in "global settings"

[AndreyNautilus]

tox version: 3.23.0

I want to add an extra pip index to all testenvs, and I've found this documentation: https://tox.readthedocs.io/en/latest/example/basic.html#installing-dependencies-from-multiple-pypi-servers with the following example:

[tox]
setenv =
    PIP_EXTRA_INDEX_URL = https://mypypiserver.org

[testenv]
deps =
    # docutils will be installed directly from PyPI
    docutils
    # mypackage missing at PyPI will be installed from custom PyPI URL
    mypackage

but this doesn't work. In my tox.ini with similar content (the only difference is the package name and the url), mypackage wasn't found. Even more: tox --showconfig didn't show PIP_EXTRA_INDEX_URL env var in setenv section for testenv.

Then I found documentation for "tox global settings" (https://tox.readthedocs.io/en/latest/config.html#tox-global-settings) which doesn't list setenv as an available keyword for the tox section.

If I move setenv from [tox] section to [testenv] section, everything works (as expected, according to the docs: https://tox.readthedocs.io/en/latest/config.html#conf-setenv).

So, my question (or bug report) is:

• is the documentation inconsistent and the example should be updated to not use setenv in [tox] section
• or is it a bug in tox and documentation for global settings should include setenv and tox should respect setenv from [tox] section?

[gaborbernat]

• is the documentation inconsistent and the example should be updated to not use setenv in [tox] section

This one.

[jugmac00]

additional comments to the current documentation

• it has to be PyPI and not PYPI
• relying that a package is not present on PyPI and using a fallback (private) package server could be dangerous, as somebody could register mypackage on PyPI and then you would install a potential harmful package

I read the comment # mypackage missing at PyPI will be installed from custom PyPI URL as we suggest this would be a good idea.

pips documentation is a bit vague what extra-index-url means exactly, or in which order the URLs are used, but I think this means, if a package is not present on the main index url, the extra index url is used as fallback.

I suggest that we either use two private package servers in the example or add a security warning about the potential danger of relying that a package name is unregistered on PyPI.

@gaborbernat What's your take on this?

[gaborbernat]

IMHO, it's up to the user to configure the tool correctly. That being said, I'm happy with either way, perhaps more practical would be:

add a security warning about the potential danger of relying that a package name is unregistered on

[jugmac00]

@AndreyNautilus Would you like to create a pull request to update the documentation?

[AndreyNautilus]

@jugmac00 sure, why not. I'll look into it later this week.

[AndreyNautilus]

#2016