[Distutils] some questions about PEP470

Carl Meyer carl at oddbird.net
Sun Oct 12 02:48:18 CEST 2014

Hi Holger,

On 10/11/2014 12:31 AM, holger krekel wrote:
> I understand that as a fairly generic security statement.  But I was trying to
> rather ask about use cases and scenarios where precisely the
> --extra-index-url option is useful and to be recommended.
> I'd be grateful if Nick or you could still describe use cases,
> especially outside PEP470 external links context (the option existed 
> before so i presume there must be some use cases).

I don't use it anymore (because these days for everything other than
interactive playing around, I install only from a curated local index
specifically limited to each project's dependencies using --no-index and
--find-links), but I used to use it. My use case was this: generally
dependencies were installed from PyPI, but occasionally I would need to
patch a dependency, so I would create an sdist with a patched version
number (e.g. if I patched 2.0.1, I would create an sdist for version
2.0.1.obc1, where "obc" is a tag based on my company name or the
project) and add this patched sdist to my own index, which I would add
to my installs with --extra-index-url.

Because I used a patched version number and pinned all dependencies
exactly, it didn't matter to me that both PyPI and my "extra index" were
considered for installation; in fact that was convenient, since it meant
I could very easily upgrade to a newer PyPI release.

I never used it for "private" non-PyPI packages.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20141011/080ced13/attachment.sig>

More information about the Distutils-SIG mailing list