Thanks Jan for raising this issue.

On Tue, Jan 29, 2019 at 10:21 AM Tzu-ping Chung <uranusjr@gmail.com> wrote:

I’m wondering, why is it needed to specify both a version and a link? I assume the version specifier would be redundant when a link is provided as the source, since the link can only point to one possible package version.

The same could be said from the package name: when a link is provided, the name is redundant since the link can only point to one possible package name.

If a version specifier was allowed for direct references, this would the same thing: it would be the installer job to check that the provided link matches the provided version specifier, just like it should be checking that the package name matches ;).

If the direct references was inconsistent, the installer could print a warning or abort the installation.

Currently with pip 19, an inconsistent name in a direct reference only produces a warning.

With a setup.py containing

from setuptools import setup
setup(name='foo', version='1',
install_requires=['toto @ https://files.pythonhosted.org/packages/06/18/fa675aa501e11d6d6ca0ae73a101b2f3571a565e0f7d38e062eec18a91ee/mccabe-0.6.1.tar.gz'])

"pip install . --no-cache-dir" ends up (unhappily & with a few warnings) with mccabe 0.6.1 installed.