> "we don't know what happens inside corporate firewalls"
>

non-published use of dependency links could turn out to be the use-cases
that we'd get complaints about



> To me, the best part of the more aggressive timeline is it means
> CPython would never ship a version of pip that allows that particular
> attack vector by default.
>
>
over IRC and on pypa-dev, I brought up the deprecate first point of view in
the context that we would be *removing the feature*.
It's less drastic to flip defaults (and add a turn on)

it's probably right that nobody will complain, but my thinking was this:
- donald can add a hidden option for now for the sake of ensurepip (it
wouldn't clutter the cli, and can be removed later care-free)
- separate from that,  pip and setuptools deprecates together, then
completely removes dep-links support.  if its bad, it's bad. get rid of it.
let's reduce the options and clutter.
_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Reply via email to