[Distutils] .egg-info metadata

[PJ Eby]

On Fri, Sep 21, 2012 at 3:06 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On Fri, Sep 21, 2012 at 2:57 PM, PJ Eby <pje at telecommunity.com> wrote:
>> This is no more guesswork than the PyPI /simple index discovery protocol is.
>
> You have zero idea what's at the end of a URL link. You're just hoping
> it's the file you expect.

If that's really a problem, you can include an #md5 tag in the link,
and easy_install will refuse to install it if it doesn't match.

However, in a major common use case for dependency links, the person
who put the link in knows *exactly* what's at the end of that link,
because it's a URL they control with contents they produced.

I think, though, that maybe you're confused about how these links
work.  A dependency link has to be one of two types:

1. A "direct link" (a link that's recognizable as a distribution,
either because its final path component is a distribution filename or
because it's tagged with an #egg identifier), or

2. An "indirect link", which will be treated as an HTML page and
scanned for direct links.

This is the *same* protocol used with the PyPI /simple index, or more
precisely, it's a *subset* of that protocol.  (Index pages are scanned
for indirect links tagged as a home page or download URL; this
extension is not supported for dependency links.)