Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency links in pip 1.6 #2023

Closed
corpix opened this Issue Sep 10, 2014 · 10 comments

Comments

Projects
None yet
6 participants
@corpix
Copy link

corpix commented Sep 10, 2014

Received warning:

Dependency Links processing has been deprecated with an accelerated time schedule and will be removed in pip 1.6

What should be used instead dependency links?

@dstufft

This comment has been minimized.

Copy link
Member

dstufft commented Sep 11, 2014

Generally you should use a requirements.txt file, however we've decided not to remove the --process-dependency-links flag in 1.6 but will remove it in a future version.

@dstufft dstufft closed this Sep 11, 2014

@miraculixx

This comment has been minimized.

Copy link

miraculixx commented Oct 4, 2014

+1 -- private package deployment needs dependency links, requirements.txt are a bad replacement as they remove the self-description of a package. thanks for keeping it in for the time being.

@corpix

This comment has been minimized.

Copy link
Author

corpix commented Oct 5, 2014

@miraculixx I like the way NPM manages dependencies and I'll be glad to see something like this in PIP.

@rndD

This comment has been minimized.

Copy link

rndD commented Nov 15, 2014

+1

@hannes-ucsc

This comment has been minimized.

Copy link

hannes-ucsc commented Feb 25, 2015

What I don't understand is how requirements.txt is considered a replacement for dependency_links? Dependency_links allows me to do "pip install git+ssh:..." and it automatically installs all dependencies, from PyPI or my own Git repositories. With requirements this becomes a much more involved process: git clone, cd project, pip install -r requirements.txt, python setup.py install.

Also what is so bad about dependency_links that it needs to go?

@dstufft

This comment has been minimized.

Copy link
Member

dstufft commented Feb 25, 2015

The problem with dependency links is that for public packages, like those hosted on PyPI, is that you shouldn't have pip install foo randomly reaching out to different locations on the internet to fetch dependencies from. That's something that should require explicit authorization from the person doing the installation. Which is why we originally deprecated them (and even removed temporarily).

However it came to light that there was an important use case we were missing, namely that of the cases where you have private packages that you want to install, maybe from Git or a personal PyPI or whatever. Since we realizes that we weren't yet well handling that use case we delayed the removal of --process-dependency-links and we've added to PEP 440 the concept of a "direct dependency", which would be used similarly to dependency links. None of the tooling supports these yet, so we haven't yet removed --process-dependency-links, however once the tooling does, we will. A key difference between direct dependencies and dependency links, is because it's part of the new metadata standard there's no legacy of packages on PyPI that have it, so we can just unconditionally allow it in pip, and rely on PyPI rejecting uploads that contain them to prevent them from being used in "public" projects.

@hannes-ucsc

This comment has been minimized.

Copy link

hannes-ucsc commented Feb 26, 2015

So I guess s/direct dependencies/direct references/ in PEP 440, right?

If that mechanism allows me to specify in setup.py of project Foo hosted at git+https://github.com/hannes/Foo the following dependency declaration

setup( install_requires=[ "Bar@git+https://github.com/hannes/Bar@stable", ... ], ...)

then I am happy.

@dstufft

This comment has been minimized.

Copy link
Member

dstufft commented Feb 26, 2015

Er, yea, got the terminology wrong. Yes, that's the idea. It doesn't do that yet, but that's the goal.

@miraculixx

This comment has been minimized.

Copy link

miraculixx commented Feb 27, 2015

we've added to PEP 440 the concept of a "direct dependencies"

👍

@csojinb-picwell

This comment has been minimized.

Copy link

csojinb-picwell commented Mar 12, 2015

Hooray! Thanks for recognizing this need. I've spent my whole morning trying to figure out what I'm supposed to be using other than dependency links, for private packages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.