On Fri, Sep 21, 2012 at 3:06 AM, Nick Coghlan <[email protected]> wrote: > On Fri, Sep 21, 2012 at 2:57 PM, PJ Eby <[email protected]> wrote: >> This is no more guesswork than the PyPI /simple index discovery protocol is. > > You have zero idea what's at the end of a URL link. You're just hoping > it's the file you expect.
If that's really a problem, you can include an #md5 tag in the link, and easy_install will refuse to install it if it doesn't match. However, in a major common use case for dependency links, the person who put the link in knows *exactly* what's at the end of that link, because it's a URL they control with contents they produced. I think, though, that maybe you're confused about how these links work. A dependency link has to be one of two types: 1. A "direct link" (a link that's recognizable as a distribution, either because its final path component is a distribution filename or because it's tagged with an #egg identifier), or 2. An "indirect link", which will be treated as an HTML page and scanned for direct links. This is the *same* protocol used with the PyPI /simple index, or more precisely, it's a *subset* of that protocol. (Index pages are scanned for indirect links tagged as a home page or download URL; this extension is not supported for dependency links.) _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
