Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Ignore external and unsafe urls aka PEP438 #985
Implements Phase2 of PEP438.
Adds a number of index options:
All changes are gated on the api version of the page being >= 2. This means that older indexes, apache indexes, etc will continue to use the old processing rules.
There is also a speed boost involved here as pip will ignore the homepage and download urls if the current options would not allow installing anything from them anyways.
The default action currently is to install but warn. In the future (1.5?) pip will default to
URLs directly passed in via the command line, requirements files, etc are always considered verifiable and secure.
I'm going to add this to the 1.4 milestone because i'd like to add it to 1.4 because I think it's an important change to both speed up installs and enable a path towards a more secure installation story. That being said if it's decided not to add this to 1.4 I can live with that (but I'd really love it if I didn't have to!).