On Jan 29, 2019, at 9:43 AM, Paul Moore
wrote: But direct URLs to github repos are a different matter, and are frankly just wrong - by their nature a github repo is a changing object, and so will never map to a "specific artifact to install".
FWIW, Paul’s statement is supported by PEP 440 itself. PEP 440 states: ----- All direct references that do not refer to a local file URL SHOULD specify a secure transport mechanism (such as https) AND include an expected hash value in the URL for verification purposes. If a direct reference is specified without any hash information, with hash information that the tool doesn't understand, or with a selected hash algorithm that the tool considers too weak to trust, automated tools SHOULD at least emit a warning and MAY refuse to rely on the URL. ----- Which clearly suggests that the URLs are expected to be immutable (given that tooling should at least emit a warning if a hash isn’t included, and are permitted to error completely, and you can’t have a hash unless the target URL is immutable.