Ok here’s the real list: https://gist.github.com/dstufft/7177500
On Oct 26, 2013, at 11:00 PM, Donald Stufft <don...@stufft.io> wrote: > Bleh scratch that, it was adding everything :( > > On Oct 26, 2013, at 10:59 PM, Donald Stufft <don...@stufft.io> wrote: > >> >> On Oct 26, 2013, at 10:14 PM, Donald Stufft <don...@stufft.io> wrote: >> >>> I would like to remove dependency_links from pip, and ideally >>> also setuptools. >>> >>> In implementing the ensurepip module from PEP453 I realized that >>> even with the ``--no-index`` flag pip was still attempting to >>> reach the internet. After a little bit of investigation I realized >>> that the reason for this was setuptools use of dependency links. >>> From my investigation it appears that setuptools uses these in order >>> to enable secure automatic installation of the ssl dependencies on >>> Python < 2.6. >>> >>> Overall this feature is a security concern, a malicous package could >>> "pin" any package they want by depending on it and adding a dependency >>> link a version 100000. This would be more or less transparent to >>> the end user. >>> >>> I was looking to see what sort of impact this would have. There are >>> currently 167,796 source files hosted on PyPI and of those files >>> 4,005 of them have any dependency links at all. Looking at it a >>> different way, there are 36,070 total projects on PyPI and 411 of them >>> use this feature. So this is ~2% of the files or ~1% of the projects. >>> >>> So it appears that this isn't a particularly popular feature, I believe >>> that it is a *bad* idea that inverts the expected control and should >>> be removed from both pip and setuptools. In setuptools case it does use >>> it in the only reasonable way I can imagine, however I think setuptools >>> should just stop trying to automatically install those dependencies >>> for Pythons < 2.6 and similarly to pip just print an error and expect users >>> to get and install them on their own. As a reminder there are very >>> few downloads from PyPI that are from Pythons < 2.6 [1] >>> >>> [1] https://caremad.io/blog/a-look-at-pypi-downloads/ >>> [2] https://gist.github.com/dstufft/7173539 >>> >>> ----------------- >>> Donald Stufft >>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA >>> >>> _______________________________________________ >>> Distutils-SIG maillist - Distutils-SIG@python.org >>> https://mail.python.org/mailman/listinfo/distutils-sig >> >> A list of projects that use dependency links: >> https://gist.github.com/dstufft/7177500 >> >> ----------------- >> Donald Stufft >> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA >> > > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
