[Distutils] Removing dependency_links
ncoghlan at gmail.com
Sun Oct 27 21:29:02 CET 2013
On 28 Oct 2013 03:44, "Donald Stufft" <donald at stufft.io> wrote:
> Here’s the list of dependency links for the projects that still use them
in their latest releases:
> A good number of them are either bogus, are pointing directly to PyPI, or
are file:// urls that are highly unlikely to exist on anyones computer but
the author’s. All in all there are 307 total unique links in this set of
packages, and 99 of them are not reachable from my computer
(requests.get(…) raises an exception).
> So honestly I think this could just go away completely. I don’t see any
use for it anymore and apparently neither does most of PyPI.
When making compatibility decisions, it's worth remembering that
pre-packaged software (let alone the open source subset of that) is only
the tip of a very large software iceberg that, as far as I am aware, still
consists mostly of custom purpose specific code written for particular
In this case, I think the vulnerability argument is strong enough and good
use cases rare enough to justify turning dependency link support off by
default, but it should be easy to turn back on in at least pip 1.5 as a
risk mitigation strategy.
> On Oct 27, 2013, at 1:00 PM, Donald Stufft <donald at stufft.io> wrote:
> > More numbers, of the 411 projects who have ever used dependency links,
only 311 of them use them in their latest release.
> > -----------------
> > Donald Stufft
> > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
> > _______________________________________________
> > Distutils-SIG maillist - Distutils-SIG at python.org
> > https://mail.python.org/mailman/listinfo/distutils-sig
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Distutils-SIG