Fix support for url sourced packages in pip installer#1306
Conversation
This change fixes the installation of packages using a url source. Previously, the installer attempted to install the package using the name ignoring the source url.
|
You're on a roll with these fixes! thanks! |
|
I'm trying to figure out how this interacts with
...especially if there are security implications. I'll need time to get up to speed. Any insights you have welcome. Maybe a dumb question but would this feature allow replacement of arbitrary packages? For example if I |
|
@brycedrennan my 2 cents here is that using a url to install a dependency, while not the best of solutions, has valid scenarios (#1297 being an example). This should be allowed at a project maintainer's discretion - hopefully with an understanding of the side-effects. Short answer to your question regarding arbitrary packages is, yes. The changes in this PR are aimed at only fixing the current expected behavior that was introduced in #1260 . I do think that we should keep track of the pypa community discussions around dependency links as we are relying on pip under the hood for installation. Additionally, I'd consider the security discussion to be of broader scope and warranting a separate issue discussing any actions, even if it is adding further documentation, that needs to be taken. With web url's, we could probably rely on content hash to detect changes but that would most likely be the extent of low-effort technical solutions. |
|
well said. I agree that this is part of a broader discussion. I'll take a look at this. |
|
Thanks! |
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
3 participants
This change fixes the installation of packages using a url source.
Previously, the installer attempted to install the package using the
name ignoring the source url.
Closes: #1297
Pull Request Check List