问题
There are quite a few people wondering for an alternative to dependency links in the setup.py (activated with the pip flag --process-dependency-links): What is the alternative to using --process-dependency-links with pip,
Depend on git repository in setup.py. Basically, I got bitten by the deprecation warning:
"DEPRECATION: Dependency Links processing has been deprecated and will be removed in a future release."
Some people have suggested using requirements.txt, however that is not an alternative as it is meant to provide an entire environment, usually more associated with development. The install_requires is supposed to provide a sort of minimum set of libraries that are necessary to work with the standard functionality, so that when you do something like pip install [LIBRARY], everything needed is installed, without any further pip install -r requirements.txt (I am referring to cases in which the LIBRARY paramater of pip install [LIBRARY] would come in the form of a URL like git+http:\\github.com\username\repo.git).
My issue with the deprecation is that I cannot reference internal/private packages, but I can also see how this could be a problem if it is required to reference a particular commit or branch in git (at least I know I had done this in the past).
All that said, the use of dependency_links is complicated, e.g. the syntaxis is not always clear, there exist several ways of specifying urls, and people tend to forget that they have to put the name-version of the library in both the dependency_links and the install_requires lists. I would like to hear that this deprecation is in favor of an improvement, but doesn't seem to be the case
So, to summarize, what is the reason for deprecating dependency links? Is the deprecation of dependency links in favour of a better alternative? It doesn't seem that there is an alternative
回答1:
PEP 508 URL dependencies are the alternative for dependency-links. You can find more details about that in my related answer.
What is the reason for deprecating dependency links?
Security. When dependency links are enabled, pip can be made to fetch arbitrary URLs from the internet and run code from them -- something that is obviously not a good idea.
You can read more about it in the original thread proposing this: https://mail.python.org/pipermail/distutils-sig/2013-October/022937.html
来源:https://stackoverflow.com/questions/46320277/why-is-dependency-links-in-setup-py-deprecated