[openstack-dev] pip requirements externally host (evil evil stab stab stab)

Monty Taylor mordred at inaugust.com
Sat Jul 20 03:04:51 UTC 2013


Hey guys!

PyPI is moving towards the world of getting people to stop hosting stuff
via external links. It's been bad for us in the past and one of the
reasons for the existence of our mirror. pip 1.4 has an option to
disallow following external links, and in 1.5 it's going to be the
default behavior.

Looking forward, we have 5 pip packages that host their stuff
externally. If we have any pull with their authors, we should get them
to actually upload stuff to pypi. If we don't, we should strongly
consider our use of these packages. As soon as pip 1.4 comes out, I
would like to moving forward restrict the addition of NEW requirements
that do not host on pypi. (all 5 of these host insecurely as well, fwiw)

The culprits are:

dnspython,lockfile,netifaces,psutil,pysendfile



More information about the OpenStack-dev mailing list