Hi Holger, On 10/11/2014 12:31 AM, holger krekel wrote: > I understand that as a fairly generic security statement. But I was trying to > rather ask about use cases and scenarios where precisely the > --extra-index-url option is useful and to be recommended. > I'd be grateful if Nick or you could still describe use cases, > especially outside PEP470 external links context (the option existed > before so i presume there must be some use cases).
I don't use it anymore (because these days for everything other than interactive playing around, I install only from a curated local index specifically limited to each project's dependencies using --no-index and --find-links), but I used to use it. My use case was this: generally dependencies were installed from PyPI, but occasionally I would need to patch a dependency, so I would create an sdist with a patched version number (e.g. if I patched 2.0.1, I would create an sdist for version 2.0.1.obc1, where "obc" is a tag based on my company name or the project) and add this patched sdist to my own index, which I would add to my installs with --extra-index-url. Because I used a patched version number and pinned all dependencies exactly, it didn't matter to me that both PyPI and my "extra index" were considered for installation; in fact that was convenient, since it meant I could very easily upgrade to a newer PyPI release. I never used it for "private" non-PyPI packages. Carl
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
