I would like to remove dependency_links from pip, and ideally also setuptools.
In implementing the ensurepip module from PEP453 I realized that even with the ``--no-index`` flag pip was still attempting to reach the internet. After a little bit of investigation I realized that the reason for this was setuptools use of dependency links. From my investigation it appears that setuptools uses these in order to enable secure automatic installation of the ssl dependencies on Python < 2.6. Overall this feature is a security concern, a malicous package could "pin" any package they want by depending on it and adding a dependency link a version 100000. This would be more or less transparent to the end user. I was looking to see what sort of impact this would have. There are currently 167,796 source files hosted on PyPI and of those files 4,005 of them have any dependency links at all. Looking at it a different way, there are 36,070 total projects on PyPI and 411 of them use this feature. So this is ~2% of the files or ~1% of the projects. So it appears that this isn't a particularly popular feature, I believe that it is a *bad* idea that inverts the expected control and should be removed from both pip and setuptools. In setuptools case it does use it in the only reasonable way I can imagine, however I think setuptools should just stop trying to automatically install those dependencies for Pythons < 2.6 and similarly to pip just print an error and expect users to get and install them on their own. As a reminder there are very few downloads from PyPI that are from Pythons < 2.6 [1] [1] https://caremad.io/blog/a-look-at-pypi-downloads/ [2] https://gist.github.com/dstufft/7173539 ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig