[Catalog-sig] Flag to tell pip to only install uploaded files

Aaron Meurer asmeurer at gmail.com
Sat Jun 23 02:21:10 CEST 2012


I'm following up on a discussion on the pip mailing list
where I was directed here.

Would it be possible to add some kind of a flag to PyPI that would let
package maintainers tell pip to install only the uploaded file (or
possibly also the file given by a direct link), and no others?

Currently, pip aggressively tries to find the latest version of a
package by crawling all links on the PyPI page, even those from older
versions.  This is a headache to me as a package maintainer because it
means that pip is quite often installing the wrong thing. Recently,
pip was trying to install our html docs because we had a file uploaded
at Google Code named "sympy-0.7.1-html-docs", which it deemed to be a
newer version than "sympy-0.7.1".  There's also the issue that every
time we put out a release candidate for a new version, pip starts
installing that, when I would prefer it to only install stable final
releases.  It's also, as I noted on the other discussion list, a bit
of a security risk.

According to the pip guys (namely, Carl Meyer), this is not so easy to
change from their end because of backwards compatibility issues.  I
suggested that such a flag be added to PyPI, and they told me that if
it were, they would accept a patch supporting it in pip.  This would
make it much less of a headache for me as a package maintainer,
because I could know that pip will always install exactly what I want.
 It could be off by default to enable backwards compatibility.

Aaron Meurer

More information about the Catalog-SIG mailing list