Remove dependency links from metadata
Setuptools currently defines dependency links to resolve its dependencies. From setup.py:
dependency_links = [ 'https://pypi.python.org/packages/source/c/certifi/certifi-0.0.8.tar.gz#md5=dc5f5e7f0b5fc08d27654b17daa6ecec', 'https://pypi.python.org/packages/source/s/ssl/ssl-1.16.tar.gz#md5=fb12d335d56f3c8c7c1fefc1c06c4bfb', 'https://pypi.python.org/packages/source/w/wincertstore/wincertstore-0.1.zip#md5=2f9accbebe8f7b4c06ac7aa83879b81c', 'https://bitbucket.org/pypa/setuptools/downloads/ctypes-1.0.2.win32-py2.4.exe#md5=9092a0ad5a3d79fa2d980f1ddc5e9dbc', 'https://bitbucket.org/pypa/setuptools/downloads/ssl-1.16-py2.4-win32.egg#md5=3cfa2c526dc66e318e8520b6f1aadce5', 'https://bitbucket.org/pypa/setuptools/downloads/ssl-1.16-py2.5-win32.egg#md5=85ad1cda806d639743121c0bbcb5f39b', ],
Those links are there to support fetching of packages over SSL with certificate validation. The binary builds of ctypes and ssl are there for Windows users on Python 2.4 and 2.5 because those builds aren't available on PyPI. Ideally, these should be hosted on PyPI.
I'm less sure why there are links to the source files. Presumably setuptools could discover those download links. I suspect the reason they're there is that before setuptools has SSL support, there's no secure way to bootstrap SSL support, so those links provide at least some assurance that the package downloaded is the package setuptools expects.
Once SSL is bootstrapped, however, the clients can then rely on the public key infrastructure to authenticate the server and secure the connection.
Is there a way to accomplish this without the dependency links?