[Distutils] Please do not remove dependency_links

[Hannes Schmidt]

I read through the "Removing dependency_links" thread [1] and I beg you not
follow through with the deprecation and removal of dependency_links and to
rethink your approach.

The mentioned thread indicates that research was done to gauge the
popularity of the dependency_links in publicly hosted Python projects. That
approach is fundamentally flawed: Publicly hosted projects are much more
likely to also be available on PyPI than private, closed-source projects.
Consequently, their dependencies are also more likely to be hosted on PyPI
as well. Because of that, they are much less likely to rely on the
dependency_links feature.

Another misconception seem to be that dependency_links is predominantly
used for installing patched or customized versions of dependencies hosted
on PyPI. I'm pretty sure the predominant use case for dependency_links is
with projects that are hosted privately, e.g. for an organization's
internal use. I represent such an organization and removing
dependency_links would impact us negatively. We host a set of internal
projects and their dependencies on Bitbucket and we rely on
dependency_links to install them directly from there.

I understand the motivation for this change – security – but there must be
smarter way to handle it. Could we fallback to dependency_links if a PyPI
lookup isn't successful? Could we restrict dependency_links to links that
share a prefix with the link from which the package is currently being
installed? A combination of the two?

[1]:
https://mail.python.org/pipermail/distutils-sig/2013-October/022937.html

-- 
Hannes Schmidt
Software Application Developer
Data Migration Engineer
Cancer Genomics Hub
University of California, Santa Cruz

(206) 696-2316 (cell)
hannes at ucsc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140116/cbc095af/attachment.html>