On Tue, 29 Jan 2019 at 13:16, Nick Coghlan <ncogh...@gmail.com> wrote: > > On Tue, 29 Jan 2019 at 20:09, Paul Moore <p.f.mo...@gmail.com> wrote: > > OK, I think that it may well be in that case that URL specifiers don't > > satisfy that specific use case that dependency_links did[1]. But URL > > specifiers were *intended* to replace dependency_links, so if they > > don't do so then it's likely because users of dependency_links didn't > > successfully explain their requirements, and something got missed as a > > result. > > It wasn't an accident - the design of dependency links lets arbitrary > packages in your dependency tree send your installer off to spider > random sites on the internet for packages, and then when those sites > break, your installation breaks.
Thanks for the clarification Nick. I couldn't remember the details here, so wasn't able to be definite. > So URL specifiers replaced the part of dependency links that we > actually wanted to keep: And in the context of pip's deprecation process, that's quite important. By deprecating dependency links, we're not saying "... and here's a complete replacement". Rather it's a genuine deprecation, we're *removing* functionality. At some point, that message got lost. There's a lesson here for pip, in that we've not communicated that intention very well (users clearly expect a replacement for *all* of the functionality of dependency links, and that URL specifiers are that replacement). And we've been extremely hesitant (to the detriment of the message) about clearly stating the "bad news". Hopefully we can learn from that mistake (but whether our users will be keen on us learning to "be firmer about sticking to our guns when removing functionality" is not obvious ;-)) Also, I don't think that users simply waiting for the pip developers to tell them how to modify their workflows to cater for the removal of dependency-links functionality is particularly helpful :-( Again, we could probably have been better at saying "this is your problem to solve, not ours" but nevertheless, the pip developers are responsible for providing a secure, stable tool, not for designing project workflows that use that tool. Paul -- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/NPSH3LDS3NTMTUU6XQUXFS76IX3G2AYW/
