On Tue, 29 Jan 2019 at 20:09, Paul Moore
On Tue, 29 Jan 2019 at 09:51, Jan MusĂlek
wrote: Well, yes, that's basically it. I don't think that there is anything wrong with PEP 508 pointing only at specific versions. BUT, it's widely proposed as replacement for dependency links, which it's clearly not because of this issue.
OK, I think that it may well be in that case that URL specifiers don't satisfy that specific use case that dependency_links did[1]. But URL specifiers were *intended* to replace dependency_links, so if they don't do so then it's likely because users of dependency_links didn't successfully explain their requirements, and something got missed as a result.
It wasn't an accident - the design of dependency links lets arbitrary packages in your dependency tree send your installer off to spider random sites on the internet for packages, and then when those sites break, your installation breaks. As a package consumer, when dependency links are enabled, you have no idea what servers your install process is actually going to go off and talk to, even if you specify `--binary-only :all:` to prevent local execution of setup.py scripts. It's essentially the same problem that https://www.python.org/dev/peps/pep-0470/ eliminated at the PyPI level. So URL specifiers replaced the part of dependency links that we actually wanted to keep: letting projects *temporarily* depend on VCS repos and other URLs while waiting for a release containing the feature that they needed, while focusing on abstract dependencies outside those cases (and deliberately eliminating the ability to add arbitrary new repositories to the dependency resolution process). Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia