Hi. I'm following up on a discussion on the pip mailing list (https://groups.google.com/forum/#!topic/python-virtualenv/PZNj9pC6aKA/discussion), where I was directed here.
Would it be possible to add some kind of a flag to PyPI that would let package maintainers tell pip to install only the uploaded file (or possibly also the file given by a direct link), and no others? Currently, pip aggressively tries to find the latest version of a package by crawling all links on the PyPI page, even those from older versions. This is a headache to me as a package maintainer because it means that pip is quite often installing the wrong thing. Recently, pip was trying to install our html docs because we had a file uploaded at Google Code named "sympy-0.7.1-html-docs", which it deemed to be a newer version than "sympy-0.7.1". There's also the issue that every time we put out a release candidate for a new version, pip starts installing that, when I would prefer it to only install stable final releases. It's also, as I noted on the other discussion list, a bit of a security risk. According to the pip guys (namely, Carl Meyer), this is not so easy to change from their end because of backwards compatibility issues. I suggested that such a flag be added to PyPI, and they told me that if it were, they would accept a patch supporting it in pip. This would make it much less of a headache for me as a package maintainer, because I could know that pip will always install exactly what I want. It could be off by default to enable backwards compatibility. Aaron Meurer _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
