On 08.05.2014 16:42, M.-A. Lemburg wrote:
On 08.05.2014 15:58, Donald Stufft wrote: >
On May 8, 2014, at 9:39 AM, M.-A. Lemburg firstname.lastname@example.org wrote:
Well, to be fair and leaving aside uptime concerns and the general desire to always install packages from some server instead of a safe and trusted local directory (probably too obvious ;-), it would certainly be possible to add support for trusted externally hosted packages.
There is support for trusted externally hosted packages, you put the URL in PyPI and include a hash in the fragment like so:
The hash can be md5 or any of the sha-2 family.
Now this does not mean that
pip install cdecimal will automatically
this, because whether or not you're willing to install from servers other than
PyPI is a policy decision for the end user of pip.
Hmm, if you call that feature "trusted externally hosted packages", pip should really do trust them, right ? ;-)
I can understand that pip defaults to not trusting URLs which don't meet the above feature requirements, but not that it still warns about unreliable externally hosted packages even if the above feature is used.
At the moment, pip will refuse to use an externally hosted files even if the package author uses the above hashed URLs; even with HTTPS and proper SSL certificate chain.
Could this perhaps be changed/reconsidered for pip ?
Note that easy_install/setuptools does not have such problems.
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source (#1, May 08 2014)
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/