[Distutils] Removing dependency_links

Donald Stufft donald at stufft.io
Sun Oct 27 04:59:15 CET 2013 

Ok here’s the real list: https://gist.github.com/dstufft/7177500

On Oct 26, 2013, at 11:00 PM, Donald Stufft <donald at stufft.io> wrote:

> Bleh scratch that, it was adding everything :(
> 
> On Oct 26, 2013, at 10:59 PM, Donald Stufft <donald at stufft.io> wrote:
> 
>> 
>> On Oct 26, 2013, at 10:14 PM, Donald Stufft <donald at stufft.io> wrote:
>> 
>>> I would like to remove dependency_links from pip, and ideally
>>> also setuptools.
>>> 
>>> In implementing the ensurepip module from PEP453 I realized that
>>> even with the ``--no-index`` flag pip was still attempting to
>>> reach the internet. After a little bit of investigation I realized
>>> that the reason for this was setuptools use of dependency links.
>>> From my investigation it appears that setuptools uses these in order
>>> to enable secure automatic installation of the ssl dependencies on
>>> Python < 2.6.
>>> 
>>> Overall this feature is a security concern, a malicous package could
>>> "pin" any package they want by depending on it and adding a dependency
>>> link a version 100000. This would be more or less transparent to
>>> the end user.
>>> 
>>> I was looking to see what sort of impact this would have. There are
>>> currently 167,796 source files hosted on PyPI and of those files
>>> 4,005 of them have any dependency links at all. Looking at it a
>>> different way, there are 36,070 total projects on PyPI and 411 of them
>>> use this feature. So this is ~2% of the files or ~1% of the projects.
>>> 
>>> So it appears that this isn't a particularly popular feature, I believe
>>> that it is a *bad* idea that inverts the expected control and should
>>> be removed from both pip and setuptools. In setuptools case it does use
>>> it in the only reasonable way I can imagine, however I think setuptools
>>> should just stop trying to automatically install those dependencies
>>> for Pythons < 2.6 and similarly to pip just print an error and expect users
>>> to get and install them on their own. As a reminder there are very
>>> few downloads from PyPI that are from Pythons < 2.6 [1]
>>> 
>>> [1] https://caremad.io/blog/a-look-at-pypi-downloads/
>>> [2] https://gist.github.com/dstufft/7173539
>>> 
>>> -----------------
>>> Donald Stufft
>>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>>> 
>>> _______________________________________________
>>> Distutils-SIG maillist  -  Distutils-SIG at python.org
>>> https://mail.python.org/mailman/listinfo/distutils-sig
>> 
>> A list of projects that use dependency links: https://gist.github.com/dstufft/7177500
>> 
>> -----------------
>> Donald Stufft
>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>> 
> 
> 
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> 
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20131026/2c41186e/attachment-0001.sig>

More information about the Distutils-SIG mailing list