Issue #47 new

Remove dependency links from metadata

Jason R. Coombs
created an issue

Setuptools currently defines dependency links to resolve its dependencies. From setup.py:

    dependency_links = [
        'https://pypi.python.org/packages/source/c/certifi/certifi-0.0.8.tar.gz#md5=dc5f5e7f0b5fc08d27654b17daa6ecec',
        'https://pypi.python.org/packages/source/s/ssl/ssl-1.16.tar.gz#md5=fb12d335d56f3c8c7c1fefc1c06c4bfb',
        'https://pypi.python.org/packages/source/w/wincertstore/wincertstore-0.1.zip#md5=2f9accbebe8f7b4c06ac7aa83879b81c',
        'https://bitbucket.org/pypa/setuptools/downloads/ctypes-1.0.2.win32-py2.4.exe#md5=9092a0ad5a3d79fa2d980f1ddc5e9dbc',
        'https://bitbucket.org/pypa/setuptools/downloads/ssl-1.16-py2.4-win32.egg#md5=3cfa2c526dc66e318e8520b6f1aadce5',
        'https://bitbucket.org/pypa/setuptools/downloads/ssl-1.16-py2.5-win32.egg#md5=85ad1cda806d639743121c0bbcb5f39b',
    ],

Those links are there to support fetching of packages over SSL with certificate validation. The binary builds of ctypes and ssl are there for Windows users on Python 2.4 and 2.5 because those builds aren't available on PyPI. Ideally, these should be hosted on PyPI.

I'm less sure why there are links to the source files. Presumably setuptools could discover those download links. I suspect the reason they're there is that before setuptools has SSL support, there's no secure way to bootstrap SSL support, so those links provide at least some assurance that the package downloaded is the package setuptools expects.

Once SSL is bootstrapped, however, the clients can then rely on the public key infrastructure to authenticate the server and secure the connection.

Is there a way to accomplish this without the dependency links?

Comments (4)

  1. Florian Schulze

    These links also cause buildout to access those URLs everytime the buildout is run, even if setuptools isn't updated and "newest = false" is set. Each link causes a 1 second pause during buildout. If I remove them from the dependency_links.txt, everything is fast again.

  2. Florian Schulze

    Any dependency link causes a trip to the internet. Even if I have settings like this in ~/.pydistutils.cfg (using devpi as local mirror):

    [easy_install]
    index_url = http://localhost:8141/fschulze/dev/+simple/
    allow_hosts = localhost:8141
    
  3. pje

    That sounds like buildout is doing something weird; in particular, it sounds like buildout either isn't honoring your allow_hosts setting itself, or it's invoking setuptools with an override for it.

  4. Log in to comment