On 28 Oct 2013 03:44, "Donald Stufft" <donald@stufft.io> wrote:
>
> Here’s the list of dependency links for the projects that still use them in their latest releases:
>
> https://gist.github.com/dstufft/7185162
>
> A good number of them are either bogus, are pointing directly to PyPI, or are file:// urls that are highly unlikely to exist on anyones computer but the author’s. All in all there are 307 total unique links in this set of packages, and 99 of them are not reachable from my computer (requests.get(…) raises an exception).
>
> So honestly I think this could just go away completely. I don’t see any use for it anymore and apparently neither does most of PyPI.

When making compatibility decisions, it's worth remembering that pre-packaged software (let alone the open source subset of that) is only the tip of a very large software iceberg that, as far as I am aware, still consists mostly of custom purpose specific code written for particular organisations.

In this case, I think the vulnerability argument is strong enough and good use cases rare enough to justify turning dependency link support off by default, but it should be easy to turn back on in at least pip 1.5 as a risk mitigation strategy.

Cheers,
Nick.
>
> On Oct 27, 2013, at 1:00 PM, Donald Stufft <donald@stufft.io> wrote:
>
> > More numbers, of the 411 projects who have ever used dependency links, only 311 of them use them in their latest release.
> >
> > -----------------
> > Donald Stufft
> > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> >
> > _______________________________________________
> > Distutils-SIG maillist  -  Distutils-SIG@python.org
> > https://mail.python.org/mailman/listinfo/distutils-sig
>
>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>