[Distutils] Removing dependency_links

Donald Stufft donald at stufft.io
Sun Oct 27 03:14:59 CET 2013

I would like to remove dependency_links from pip, and ideally
also setuptools.

In implementing the ensurepip module from PEP453 I realized that
even with the ``--no-index`` flag pip was still attempting to
reach the internet. After a little bit of investigation I realized
that the reason for this was setuptools use of dependency links.
From my investigation it appears that setuptools uses these in order
to enable secure automatic installation of the ssl dependencies on
Python < 2.6.

Overall this feature is a security concern, a malicous package could
"pin" any package they want by depending on it and adding a dependency
link a version 100000. This would be more or less transparent to
the end user.

I was looking to see what sort of impact this would have. There are
currently 167,796 source files hosted on PyPI and of those files
4,005 of them have any dependency links at all. Looking at it a
different way, there are 36,070 total projects on PyPI and 411 of them
use this feature. So this is ~2% of the files or ~1% of the projects.

So it appears that this isn't a particularly popular feature, I believe
that it is a *bad* idea that inverts the expected control and should
be removed from both pip and setuptools. In setuptools case it does use
it in the only reasonable way I can imagine, however I think setuptools
should just stop trying to automatically install those dependencies
for Pythons < 2.6 and similarly to pip just print an error and expect users
to get and install them on their own. As a reminder there are very
few downloads from PyPI that are from Pythons < 2.6 [1]

[1] https://caremad.io/blog/a-look-at-pypi-downloads/
[2] https://gist.github.com/dstufft/7173539

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20131026/591bf231/attachment.sig>

More information about the Distutils-SIG mailing list