"we don't know what happens inside corporate firewalls"
non-published use of dependency links could turn out to be the use-cases that we'd get complaints about
To me, the best part of the more aggressive timeline is it means CPython would never ship a version of pip that allows that particular attack vector by default.
over IRC and on pypa-dev, I brought up the deprecate first point of view in the context that we would be *removing the feature*. It's less drastic to flip defaults (and add a turn on) it's probably right that nobody will complain, but my thinking was this: - donald can add a hidden option for now for the sake of ensurepip (it wouldn't clutter the cli, and can be removed later care-free) - separate from that, pip and setuptools deprecates together, then completely removes dep-links support. if its bad, it's bad. get rid of it. let's reduce the options and clutter.