[Catalog-sig] Deprecate External Links

Lennart Regebro regebro at gmail.com
Thu Feb 28 22:08:45 CET 2013

On Thu, Feb 28, 2013 at 7:38 PM, PJ Eby <pje at telecommunity.com> wrote:
> I can't speak to pip, but since the relevant bits of distribute are
> 95% the same as setuptools, I think I can say that it will have the
> same technical issues, and that warning based on lack of an
> --allow-hosts will be both simpler to implement and easier to make
> secure.

I was thinking on simply checking that it used the same host as
index_url, but checking against allow-hosts does seem quite

>> 2. After a pre-determined period (6 months?) new versions are again
>> released that no longer download from external sites, unless a
>> parameter is added. We still warn when the parameter is added that
>> this feature will go away.
> I'd suggest that this be simply making the default --allow-hosts point to PyPI.

I think a deprecation period is advisable, so we don't just break
things suddenly and make everyone angry.

>> 3. New versions of pip and distribute will check these version numbers
>> and warn (but not fail) if the major version increases, noting that
>> it's time to upgrade.
> I think we should do something more like what MAL is proposing, which
> means that the current "API" can disappear altogether when the new
> tools arrive.

Works for me.


More information about the Catalog-SIG mailing list