I read through the "Removing dependency_links"
thread [1] and I beg you not follow through with the deprecation
and removal of dependency_links and to rethink your approach.
The mentioned thread indicates that research was done to
gauge the popularity of the dependency_links in publicly
hosted Python projects. That approach is fundamentally flawed:
Publicly hosted projects are much more likely to also be
available on PyPI than private, closed-source projects.
Consequently, their dependencies are also more likely to be
hosted on PyPI as well. Because of that, they are much less
likely to rely on the dependency_links feature.
Another misconception seem to be that dependency_links is
predominantly used for installing patched or customized
versions of dependencies hosted on PyPI. I'm pretty sure the
predominant use case for dependency_links is with projects
that are hosted privately, e.g. for an organization's internal
use. I represent such an organization and removing
dependency_links would impact us negatively. We host a set of
internal projects and their dependencies on Bitbucket and we
rely on dependency_links to install them directly from there.
I understand the motivation for this change – security –
but there must be smarter way to handle it. Could we fallback
to dependency_links if a PyPI lookup isn't successful? Could
we restrict dependency_links to links that share a prefix with
the link from which the package is currently being installed?
A combination of the two?