I remember the Turbogears project used this feature as part of their standard
installation procedure. They would host their dependencies in a particular
location to explicitly manage the versions available for the larger suite (so
that even if a dependency's dependency allowed a version incompatible or
untested with the suite, it wouldn't be included in the install).
I've used the command-line parameter for the same property (--find-links) to
install a package against private, patched, or otherwise one-off builds of
dependency packages in a self-hosted directory.
What is the proposed replacement for those use-cases if dependency-links is
deprecated?
> -----Original Message-----
> From:
pypa...@googlegroups.com [mailto:
pypa...@googlegroups.com]
> On Behalf Of Donald Stufft
> Sent: Saturday, 26 October, 2013 08:44
> To: pypa-dev; Nick Coghlan
> Subject: pip and dependency links
>
> Setuptools has a "feature" called dependency links which allows one project
> to provide places to look for another project. I think this is dead wrong.
> Not
> only should project A not be able to tell you where to get project B, but in
> general control of *where* something is installed from should be up to the
> person doing the installing, not the projects they are installed from.
>
> I'd like to remove this in 1.5 as I believe it a security issue. At the very
> least
> we need a flag to disable dependency links as this is causing the ensurepip
> module to reach out to the internet even with -no-index passed in.