[Distutils] Preventing downloading for package requirements

Barry Warsaw barry at python.org
Wed Feb 23 21:46:25 CET 2011

Something that's come up recently in the Debian Python mailing list is
setuptools/distribute's habit of downloading *_requires packages
(e.g. install_requires) when they are not available locally.

This causes us problems because dependencies are defined in two places.  They
are defined in setup.py by the upstream package author, and in the
debian/control file by the OS packager.  Generally, this is okay because we
can generate debian/control from setup.py -- though it does take some manual
intervention to keep things in sync.

This came up in the context of always enabling tests when we build the OS
package.  The problem arises if the two dependency lists are out of sync.  For
example, your setup.py depends on 'foo' but the Debian 'python-foo' package is
not installed.  In this case, during the build process, 'foo' would get
downloaded from the Cheeseshop and this would mask a bug in the debian/control
file (since any listed in debian/control would get installed from the archive
and thus be available by the time setuptools/distribute runs).

The question is: what's the best way for us Debian packagers to absolutely
prevent download from Cheeseshop?  We would much rather have
setuptools/distribute spew an error and stop, because then we'd fix
debian/control and ensure that all the package's dependencies came from the OS
archive instead of external resources.

One way that seems to work is to add this to setup.cfg:

allow_hosts: www.example.com

This will break the download by limiting acceptable hosts to bogus ones that
can't possibly satisfy the requirement.  But it's unsatisfying for several

* It's obscure and doesn't really describe what we're trying to do ('fixable'
  I suppose by a comment)
* Requires the Debian packager to add a setup.cfg or modify an existing one in
  the upstream package.

Note that I thought this might also work, but it does not afaict:

no_deps: true

So, do you have any suggestions for a better way to say "never download
dependencies" for a particular package, or class of packages.  Ideally,
there'd be one file we could modify, e.g. /etc/distribute.cfg that would allow
us to prevent downloading globally for all system provided packages, but would
still allow downloading for local development packages, e.g. via virtualenv.

Thoughts are welcome, but also perhaps we can discuss further at the Pycon

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20110223/8f8b33bb/attachment.pgp>

More information about the Distutils-SIG mailing list