[Catalog-sig] Flag to tell pip to only install uploaded files

[Aaron Meurer]

On Jul 4, 2012, at 8:18 PM, Richard Jones <richard at python.org> wrote:

> On 23 June 2012 10:21, Aaron Meurer <asmeurer at gmail.com> wrote:
>> There's also the issue that every
>> time we put out a release candidate for a new version, pip starts
>> installing that, when I would prefer it to only install stable final
>> releases.  It's also, as I noted on the other discussion list, a bit
>> of a security risk.
>>
>> According to the pip guys (namely, Carl Meyer), this is not so easy to
>> change from their end because of backwards compatibility issues.  I
>> suggested that such a flag be added to PyPI, and they told me that if
>> it were, they would accept a patch supporting it in pip.  This would
>> make it much less of a headache for me as a package maintainer,
>> because I could know that pip will always install exactly what I want.
>> It could be off by default to enable backwards compatibility.
>
> Just to be clear, what's being proposed is some way to flag a release
> on PyPI as being "stable" (or some other release as "unstable")? Then
> a tool such as pip could prefer a stable release over an unstable
> release while scraping download links from PyPI and all related pages?
> How would this flag be presented to pip? How would a package
> maintainer manage it?

I think the cleanest way would be to just have a way to tell pip to
only install the files that are uploaded to PyPI (alternately, files
from a direct download link).  In other words, I want to force
pip/easy_install to *not* do any link scraping.

The way I visualize it is somewhere in the PyPI package page, there is
a checkbox, off by default, that says something like, "PyPI only." and
the descriptor text would be something like, "This will prevent tools
like pip and easy_install from link scraping to find the most recent
version of this package.  Only the uploaded file for the most recent
version on PyPI will be downloaded by these tools, even if a newer
version might be found on another website.  This is useful if you want
to prevent pip/easy_install from downloading incorrect files that it
thinks are newer, or if you want it to only download a stable version,
but remember that if you check this, it is up to you to update the
package here on PyPI when new versions are released or
pip/easy_install will never install them."

I think would have to be a package-wide setting (unlike most settings,
which are version-wide) because you're telling it to always use the
newest version on PyPI, regardless of what that is.

>
> Just a thought on the version number precedence rules: would using
> "smypy-rc1-0.7.1" rather than "sympy-0.7.1-rc1" (ie. your version is
> 'rc1-0.7.1" instead of "0.7.1-rc1") work? It's a hack, I know, but I
> had another look at the easy_install docs page and it's not clear to
> me whether that would work. I think it might because it uses the same
> basic work-around as the sympy-docs-html file.

Yes, I know I could hack my way to it, but I'd really like to be able
to just check a box and forget about it.

And by the way, 0.7.1-rc1 actually *is* newer than 0.7.0.  Another
possibility if this flag is implemented is an optional flag to pip
that would tell it to ignore it, for those who really do want the
newest version (and know the risks).  I have no qualms against people
being able to pip install release candidates, I just don't want it to
happen by default.

Aaron Meurer

>
>
>     Richard