[Distutils] Removing dependency_links
Nick Coghlan
ncoghlan at gmail.com
Sun Oct 27 13:19:02 CET 2013
On 27 Oct 2013 18:38, "Marcus Smith" <qwcode at gmail.com> wrote:
>
>
>>
>> "we don't know what happens inside corporate firewalls"
>
>
> non-published use of dependency links could turn out to be the use-cases
that we'd get complaints about
>
>
>>
>> To me, the best part of the more aggressive timeline is it means
>> CPython would never ship a version of pip that allows that particular
>> attack vector by default.
>>
>
> over IRC and on pypa-dev, I brought up the deprecate first point of view
in the context that we would be *removing the feature*.
> It's less drastic to flip defaults (and add a turn on)
>
> it's probably right that nobody will complain, but my thinking was this:
> - donald can add a hidden option for now for the sake of ensurepip (it
wouldn't clutter the cli, and can be removed later care-free)
Yeah, we at least need to do that much to meet the "ensurepip doesn't talk
to the internet" guarantee.
> - separate from that, pip and setuptools deprecates together, then
completely removes dep-links support. if its bad, it's bad. get rid of it.
let's reduce the options and clutter.
I'm happy to go with whatever you folks (as in pip & setuptools devs)
decide on that front. I prefer "flip the default & deprecate, then remove
later if nobody campaigns to keep it", but I'm also OK with the more
conservative "deprecate, then remove later".
Cheers,
Nick.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20131027/43c4b329/attachment.html>
More information about the Distutils-SIG
mailing list