On Mon, Oct 23, 2017 at 4:16 PM, Nathan Dunfield <nat...@dunfield.info> wrote: > On Monday, October 23, 2017 at 7:32:03 AM UTC-5, Erik Bray wrote: >> >> > I also balk at the idea of shipping a crippled pip. >> >> It's not crippled if you don't need it to install from HTTPS which not >> everyone does. > > > I agree with Emmanuel that providing "pip" without HTTPS is shipping a > broken product. While there are other uses for "pip", by far the most > common is to install Python packages off PyPI, which requires HTTPS.
It is literally not a broken product. In fact support for SSL was deliberately made optional (minus the time it wasn't due to a bug) because PyPI is not the only use for pip and never was the only use. Likewise for R's package.install() it supports other sources than CRAN and as far as I can tell always has. If you look at my message a little further up I was explicit that in the common case of "average users", from the Sage perspective, we definitely want to support this functionality. From a software design perspective, however, it doesn't make sense to unconditionally require SSL when all other features of the software, including package installation from other sources, works without it. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.