On Fri, Sep 21, 2012 at 1:28 AM, Donald Stufft <[email protected]> wrote: > These fields were _not_ for saying that it required a particular > distribution/project > and _were_ for saying it requires a particular module or package (in the > import sense).
Yes, but that was still sufficient information to implement a dependency system, in theory. Specifically, it would have worked for the case where all projects are on PyPI and have correct metadata. If you assume that condition, you can trivially solve all dependencies; but if you don't assume that condition, you need something like dependency links. > I don't see why pushing the maintenance burden down the stack isn't an ok > thing to do. For the same reason that requiring someone to read the source code of every function called by every function called by every function called by code they use isn't an ok thing to do. > A dependency that comes from dependency_links can't be installed from > your own internal PyPI (or another public one) without rewriting the setup.py > scripts (Unless my understanding of dependency links is wrong). This is indeed wrong. Dependency links are a last resort, used after all other provided dependency resolution sources have failed. I think I see where Nick is coming from now - when he said "you don't know what's at the end of the URL", my first reaction was "WTF?", only much more elaborate than "WTF", because I couldn't conceive of how that's even remotely a meaningful comment. However, if he, like you, thought that a dependency link means "download and install this along with the package", then that's a perfectly understandable further misconception. That isn't how they work at all: they are simply links that easy_install is *allowed* to use to resolve dependencies. It doesn't just download those URLs and install them. If you depend on Foo and Bar, your standard requirements list *still has to include Foo and Bar*! The dependency links only say, "here are some places to *look* for Foo and Bar, *if* you can't find them through the normal channels" (e.g. PyPI, your local index server, already-installed files, links specified on the command line, etc.). In other words, they *supplement* the requirements metadata and index system, they don't *subvert* it. > I think that the choice to use them should be in the hands of the person > _installing_ the package, not the person creating the package. That's what --allow-hosts is for: easy_install can be locked down to not install except from your local intranet or PyPI or whatever, and it can be done on a sitewide basis by default (by settings in the site's distutils.cfg). _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
