[Catalog-sig] Flag to tell pip to only install uploaded files
Aaron Meurer
asmeurer at gmail.com
Sat Jun 23 02:21:10 CEST 2012
Hi.
I'm following up on a discussion on the pip mailing list
(https://groups.google.com/forum/#!topic/python-virtualenv/PZNj9pC6aKA/discussion),
where I was directed here.
Would it be possible to add some kind of a flag to PyPI that would let
package maintainers tell pip to install only the uploaded file (or
possibly also the file given by a direct link), and no others?
Currently, pip aggressively tries to find the latest version of a
package by crawling all links on the PyPI page, even those from older
versions. This is a headache to me as a package maintainer because it
means that pip is quite often installing the wrong thing. Recently,
pip was trying to install our html docs because we had a file uploaded
at Google Code named "sympy-0.7.1-html-docs", which it deemed to be a
newer version than "sympy-0.7.1". There's also the issue that every
time we put out a release candidate for a new version, pip starts
installing that, when I would prefer it to only install stable final
releases. It's also, as I noted on the other discussion list, a bit
of a security risk.
According to the pip guys (namely, Carl Meyer), this is not so easy to
change from their end because of backwards compatibility issues. I
suggested that such a flag be added to PyPI, and they told me that if
it were, they would accept a patch supporting it in pip. This would
make it much less of a headache for me as a package maintainer,
because I could know that pip will always install exactly what I want.
It could be off by default to enable backwards compatibility.
Aaron Meurer
More information about the Catalog-SIG
mailing list