[Distutils] PEP 438, pip and --allow-external (was: "pip: cdecimal an externally hosted file and may be unreliable" from python-dev)

[Paul Moore]

On 10 May 2014 12:57, Nick Coghlan <ncoghlan at gmail.com> wrote:
> Actually, I expect folks like Stefan & MvL would likely want to be able to
> preserve the  current "--allow-external" behaviour. The change Donald is
> suggesting could then just be a matter of renaming the current
> "--allow-external" to "--allow-safe-external", and making "--allow-external"
> and " --allow-unverifiable" synonyms.
>
> The error messages would still recommend "--allow-external", since that is
> likely what would be needed to solve any installation problems related to
> externally hosted files.

The thing is, the current --allow-external helps basically no-one. If
the people who wanted the behaviour preserved switched their packages
to include hashes, so that they didn't *also* need
--allow-unverifiable, then keeping both (in some form) would make more
sense. But at the moment, the *only* people who can justifiably say
they want --allow-external to be retained are the authors of the
26[1][2] verifiable but external packages on PyPI, and that's not a
big enough group to justify the confusion caused by having two similar
but subtly different options.

Paul

[1] See Donald's email. "And looking even closer at those, only 0.07%
(26) of them will have the outcome of ``pip install whatever`` change
(in other words, the latest version requires external+safe)."
[2] Apologies if Stefan and MAL are among those authors - it's not
clear to me if that's the case from the information I have. But even
if they are, the numbers argument is still pretty compelling.