<div dir="ltr">I read through the "Removing dependency_links" thread [1] and I beg you not follow through with the deprecation and removal of dependency_links and to rethink your approach.<div><br></div><div>The mentioned thread indicates that research was done to gauge the popularity of the dependency_links in publicly hosted Python projects. That approach is fundamentally flawed: Publicly hosted projects are much more likely to also be available on PyPI than private, closed-source projects. Consequently, their dependencies are also more likely to be hosted on PyPI as well. Because of that, they are much less likely to rely on the dependency_links feature. </div>
<div><br></div><div>Another misconception seem to be that dependency_links is predominantly used for installing patched or customized versions of dependencies hosted on PyPI. I'm pretty sure the predominant use case for dependency_links is with projects that are hosted privately, e.g. for an organization's internal use. I represent such an organization and removing dependency_links would impact us negatively. We host a set of internal projects and their dependencies on Bitbucket and we rely on dependency_links to install them directly from there.</div>
<div><br></div><div>I understand the motivation for this change – security – but there must be smarter way to handle it. Could we fallback to dependency_links if a PyPI lookup isn't successful? Could we restrict dependency_links to links that share a prefix with the link from which the package is currently being installed? A combination of the two?</div>
<div><br></div><div><div>[1]: <a href="https://mail.python.org/pipermail/distutils-sig/2013-October/022937.html">https://mail.python.org/pipermail/distutils-sig/2013-October/022937.html</a><br clear="all"><div><br></div>-- <br>
<div dir="ltr">Hannes Schmidt<br>Software Application Developer<br>Data Migration Engineer<br>Cancer Genomics Hub<br>University of California, Santa Cruz<br><br>(206) 696-2316 (cell)<br><a href="mailto:hannes@ucsc.edu" target="_blank">hannes@ucsc.edu</a></div>
</div></div></div>