On 27 Oct 2013 18:38, "Marcus Smith" <qwc...@gmail.com> wrote: > > >> >> "we don't know what happens inside corporate firewalls" > > > non-published use of dependency links could turn out to be the use-cases that we'd get complaints about > > >> >> To me, the best part of the more aggressive timeline is it means >> CPython would never ship a version of pip that allows that particular >> attack vector by default. >> > > over IRC and on pypa-dev, I brought up the deprecate first point of view in the context that we would be *removing the feature*. > It's less drastic to flip defaults (and add a turn on) > > it's probably right that nobody will complain, but my thinking was this: > - donald can add a hidden option for now for the sake of ensurepip (it wouldn't clutter the cli, and can be removed later care-free)
Yeah, we at least need to do that much to meet the "ensurepip doesn't talk to the internet" guarantee. > - separate from that, pip and setuptools deprecates together, then completely removes dep-links support. if its bad, it's bad. get rid of it. let's reduce the options and clutter. I'm happy to go with whatever you folks (as in pip & setuptools devs) decide on that front. I prefer "flip the default & deprecate, then remove later if nobody campaigns to keep it", but I'm also OK with the more conservative "deprecate, then remove later". Cheers, Nick. > >
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
