[Distutils] Removing dependency_links

Nick Coghlan ncoghlan at gmail.com
Sun Oct 27 06:16:32 CET 2013 

On 27 October 2013 14:35, Donald Stufft <donald at stufft.io> wrote:
>
> On Oct 27, 2013, at 12:30 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
>> On 27 October 2013 14:13, Donald Stufft <donald at stufft.io> wrote:
>>>
>>> On Oct 26, 2013, at 11:59 PM, Donald Stufft <donald at stufft.io> wrote:
>>>
>>>> Ok here’s the real list: https://gist.github.com/dstufft/7177500
>>>
>>> Quick note that this list is a list of projects that have *ever* used
>>> dependency links on PyPI. Some of these projects are no longer
>>> using them.
>>
>> Am I correct in thinking that providing a flag to disable them
>> completely will be enough to get ensurepip to behave itself?
>>
>> If so, then the bare minimum is to provide such a flag in the bundled
>> versions of pip and setuptools and have ensurepip use it.
>
> Yes, it only needs to exist in pip as well, it does not need to exist
> in setuptools for ensurepip’s purposes.

Excellent, so that's the only mandatory-due-to-PEP-453 part for pip 1.5.

>> I also think it is reasonable to continue offering a feature like
>> dependency_links on an opt-in basis for controlled environments (I see
>> it as analagous to the direct references feature in PEP 440).
>>
>> That would make the migration look something like:
>>
>> pip 1.5 (and associated minimum required version of setuptools):
>>  - add a disable switch for dependency link handling
>>  - add at least a per-project opt-in for dependency link handling
>> (and perhaps a global opt-in)
>>  - deprecate implicit handling of dependency links
>>
>> pip 1.6:
>>  - dependency links are disabled by default, must opt-in to process them
>>
>> Cheers,
>> Nick.
>
> What if pip 1.5 added a —no-dependency-links flag, and then pip 1.6 ignored
> them by default but if a package cannot be installed it would print something
> like…
>
> The package {foo} was unable to be found which was depended on by {bar},
> {bar} has suggested some additional links for locating dependencies, you
> can use any of them by using the —find-links flag such as pip install —find-links <url>.
>
> The suggested urls are:
>     https://…./
>     https://…./
>
> This allows users to opt in on a per url basis (and under the covers the implementation
> would be the same, dependency links just get added to find-links) without adding
> yet another flag.

With that error message, I think it's reasonable to do as Holger
suggests and opt out of processing them by default even in 1.5.

To me, the best part of the more aggressive timeline is it means
CPython would never ship a version of pip that allows that particular
attack vector by default.

In that approach, I'd still suggest offering a
"--process-dependency-links" flag and there wouldn't be a flag to turn
the processing off (since they'd be off by default). This suggestion
is born out of the "we don't know what happens inside corporate
firewalls" perspective, so I think it's beneficial to have a "make it
work the way it used to" fallback for at least one release.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list