[Catalog-sig] Flag to tell pip to only install uploaded files

Aaron Meurer asmeurer at gmail.com
Thu Jul 5 22:06:02 CEST 2012

On Thu, Jul 5, 2012 at 1:22 PM, Carl Meyer <carl at oddbird.net> wrote:
> On 07/04/2012 11:00 PM, Donald Stufft wrote:
>> On Thursday, July 5, 2012 at 12:43 AM, Aaron Meurer wrote:
>>> I think the cleanest way would be to just have a way to tell pip to
>>> only install the files that are uploaded to PyPI (alternately, files
>>> from a direct download link). In other words, I want to force
>>> pip/easy_install to *not* do any link scraping.
>> Sounds like something that honestly belongs in pip.
>> Something like ``pip --disable-external``.
>> Possibly something like ``pip --only-stable`` or something (if versions
>> can be parsed by PEP 345?).
> I don't have any objection to a flag in pip to disable crawling off the
> index domain (this is a hard security requirement for some users, and
> something pip ought to have), but it doesn't at all meet Aaron's desire
> as a package maintainer to be able to make this happen *by default* for
> everyone pip-installing his package.
> Carl

Exactly.  This would be basically a waste of time if it weren't
default, because users can already get this behavior by passing
sufficient flags to pip (it might be slightly more convenient, but
that's it).  My point of view is that of a package maintainer, not a
user, who wants the user experience of people trying to install my
package using pip to be as seamless as possible.

My proposal recognizes that changing the defaults for everyone would
be a nightmare that the community is probably not ready for, but still
empowers package maintainers like myself to do so if want so.  In
other words, it would make my life easier, and it wouldn't make your
lives any harder.

Aaron Meurer

More information about the Catalog-SIG mailing list