[Catalog-sig] Flag to tell pip to only install uploaded files

PJ Eby pje at telecommunity.com
Sat Jun 23 02:58:28 CEST 2012

On Fri, Jun 22, 2012 at 8:21 PM, Aaron Meurer <asmeurer at gmail.com> wrote:

> Hi.
> I'm following up on a discussion on the pip mailing list
> (
> https://groups.google.com/forum/#!topic/python-virtualenv/PZNj9pC6aKA/discussion
> ),
> where I was directed here.
> Would it be possible to add some kind of a flag to PyPI that would let
> package maintainers tell pip to install only the uploaded file (or
> possibly also the file given by a direct link), and no others?
> Currently, pip aggressively tries to find the latest version of a
> package by crawling all links on the PyPI page, even those from older
> versions.  This is a headache to me as a package maintainer because it
> means that pip is quite often installing the wrong thing. Recently,
> pip was trying to install our html docs because we had a file uploaded
> at Google Code named "sympy-0.7.1-html-docs",

The simple way to correct this problem is to rename the file
'sympy-html-docs-0.7.1' - this will fix things for all installers that
follow easy_install's discovery protocol, including pip and zc.buildout.

> which it deemed to be a
> newer version than "sympy-0.7.1".  There's also the issue that every
> time we put out a release candidate for a new version, pip starts
> installing that, when I would prefer it to only install stable final
> releases.  It's also, as I noted on the other discussion list, a bit
> of a security risk.

zc.buildout includes a flag to prefer stable releases, and I believe some
other installation tools do as well.  You might suggest they add such a
flag to pip and move towards using it by default.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120622/35af1778/attachment.html>

More information about the Catalog-SIG mailing list