[Distutils] .egg-info metadata

PJ Eby pje at telecommunity.com
Fri Sep 21 17:14:50 CEST 2012 

On Fri, Sep 21, 2012 at 1:28 AM, Donald Stufft <donald.stufft at gmail.com> wrote:
> These fields were _not_ for saying that it required a particular
> distribution/project
> and _were_ for saying it requires a particular module or package (in the
> import sense).

Yes, but that was still sufficient information to implement a
dependency system, in theory.  Specifically, it would have worked for
the case where all projects are on PyPI and have correct metadata.

If you assume that condition, you can trivially solve all
dependencies; but if you don't assume that condition, you need
something like dependency links.


> I don't see why pushing the maintenance burden down the stack isn't an ok thing to do.

For the same reason that requiring someone to read the source code of
every function called by every function called by every function
called by code they use isn't an ok thing to do.


> A dependency that comes from dependency_links can't be installed from
> your  own internal PyPI (or another public one) without rewriting the setup.py
> scripts (Unless my understanding of dependency links is wrong).

This is indeed wrong.  Dependency links are a last resort, used after
all other provided dependency resolution sources have failed.

I think I see where Nick is coming from now - when he said "you don't
know what's at the end of the URL", my first reaction was "WTF?", only
much more elaborate than "WTF", because I couldn't conceive of how
that's even remotely a meaningful comment.

However, if he, like you, thought that a dependency link means
"download and install this along with the package", then that's a
perfectly understandable further misconception.

That isn't how they work at all: they are simply links that
easy_install is *allowed* to use to resolve dependencies.  It doesn't
just download those URLs and install them.

If you depend on Foo and Bar, your standard requirements list *still
has to include Foo and Bar*!

The dependency links only say, "here are some places to *look* for Foo
and Bar, *if* you can't find them through the normal channels" (e.g.
PyPI, your local index server, already-installed files, links
specified on the command line, etc.).

In other words, they *supplement* the requirements metadata and index
system, they don't *subvert* it.


> I think that the choice to use them should be in the hands of the person
> _installing_ the package, not the person creating the package.

That's what --allow-hosts is for: easy_install can be locked down to
not install except from your local intranet or PyPI or whatever, and
it can be done on a sitewide basis by default (by settings in the
site's distutils.cfg).

More information about the Distutils-SIG mailing list