On 10 May 2014 12:57, Nick Coghlan <ncogh...@gmail.com> wrote: > Actually, I expect folks like Stefan & MvL would likely want to be able to > preserve the current "--allow-external" behaviour. The change Donald is > suggesting could then just be a matter of renaming the current > "--allow-external" to "--allow-safe-external", and making "--allow-external" > and " --allow-unverifiable" synonyms. > > The error messages would still recommend "--allow-external", since that is > likely what would be needed to solve any installation problems related to > externally hosted files.
The thing is, the current --allow-external helps basically no-one. If the people who wanted the behaviour preserved switched their packages to include hashes, so that they didn't *also* need --allow-unverifiable, then keeping both (in some form) would make more sense. But at the moment, the *only* people who can justifiably say they want --allow-external to be retained are the authors of the 26[1][2] verifiable but external packages on PyPI, and that's not a big enough group to justify the confusion caused by having two similar but subtly different options. Paul [1] See Donald's email. "And looking even closer at those, only 0.07% (26) of them will have the outcome of ``pip install whatever`` change (in other words, the latest version requires external+safe)." [2] Apologies if Stefan and MAL are among those authors - it's not clear to me if that's the case from the information I have. But even if they are, the numbers argument is still pretty compelling. _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
