Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Allow direct urls in install_requires

See original GitHub issue

What’s the problem this feature will solve? I want to put a package on PyPi which uses the new direct url syntax pkg@git-repo-url from PEP 508. Uploading to PyPi yields

HTTPError: 400 Client Error: Invalid value for requires_dist. Error: Can't have direct dependency:

It is stated here that this is for “security reasons”, but as pointed out later in the thread, this seems nonsensical as setup.py could execute arbitrary code anyway. Are there any other security concerns I am missing?

Describe the solution you’d like Simply allow direct urls.

I have a package which depends on another package which I don’t want to go through the trouble of uploading to PyPi as well. This dependency then breaks installing my package from PyPi.

Issue Analytics

State:
Created 5 years ago
Reactions:5
Comments:12 (6 by maintainers)

Top GitHub Comments

2reactions

frankcorneliusmartincommented, Mar 19, 2019

Yes, I agree that it adds some level of trust, especially long lived/known (or previously used) packages. However if you do not check the contents of setup.py this level of security does no longer hold, as we do not trust everything on PyPI. Therefore making it just as secure as allowing external direct urls, this is true when not considering that it requires some effort to publish (a malicious) dependency on PyPI.

1reaction

uranusjrcommented, Mar 19, 2019

The problem is that setup.py is not only used to be directly run on your machine to install the package, but also to create a wheel, either by the developer (to upload to PyPI) or pip (to later install it). As Paul mentioned, the problem is that wheel does not (and should not, I want to add) support URL specs, so if setup(install_requires=...) does, setuptools needs to somehow convert it to a non-URL dependency when duilding the wheel, which is by no means straightforward, if at all possible. And you’d need to convince setuptools maintainers instead of pip on that.

Top Results From Across the Web

PyPI install_requires direct links - github - Stack Overflow

Give up on PyPI? I just want pip install PyStableMotifs to work for my users. Ideally, this command should install the dependencies and...

Dependencies Management in Setuptools

Direct URL dependencies#. Attention. PyPI and other standards-conformant package indices do not accept packages that declare dependencies using direct URLs. pip ...

What is the correct interpretation of path-based PEP 508 ...

In PEP 508, the grammar allows for the URI_reference part of a url_req ... the origin of distributions installed from direct URL references....

TACTIK Classic Front Bumper with D-Rings & Isolators - Fits ...

... with D-Rings & Isolators - Fits Jeep Wrangler YJ TJ 1987-2006 - Light Textured Black Powder Coat - Direct Bolt On Install...

Reason install requires administrator password - MathWorks

Direct link to this question ... Hi,. Could you please explain the exact reason I should allow full access for the installer to...