Pip: Status of process-dependency-links?

The status is we want to get rid of it, it's deprecated, but there is an edge case that still needs it that we're not comfortable breaking yet until there is a replacement.

If it's deprecated, what is the replacement to use when a package depends on another package that's in a private git repo?

@dstufft I have the same question. If this is deprecated, is there a proposed alternative people should be using?

@dstufft I have the same question as @ahnitz, what is the proposed alternative ?

I'd say https://www.python.org/dev/peps/pep-0508/

Is this already implemented for pip/setuptools? if not, any schedule for this?

@linar-jether https://github.com/pypa/pip/issues/3609

use requirements.txt

The alternative options for pulling from private git repos are pretty cumbersome to use. It seems pretty insane to remove the --process-dependency-links feature since it is already opt-in. This (sadly) seems like just another example of why python package/dependency management is such a ghetto compared to other modern languages ...

So, here's the main issue: If I don't want to use a requirements.txt file (because, say, I want declarative dependencies all specified in setup.cfg), how am I supposed to specify a URL as dependency?

This doesn't work:

[options]
install_requires = 
  requests==2.18.4
  https://github.com/example/example_lib/archive/master.zip

I also think dependency links are weird and fine to drop, but canonically how is this use case served if not with those?

Further, suppose your dependency links are from an _internal_ source, like a company enterprise GitHub instance. If I am writing an internal Python package that depends on other internal Python packages, specifying their dependency links directly in either setup.py or requirements.txt is a mandatory feature for me. Without it, pip would be utterly unusable.

Currently in some internal projects, this means I _cannot_ use requirements.txt, because it lacks proper support for dependency links. Thus, I am forced to use install_requires in setup.py.

Basically, a Python package dependency is a thing that can come from anywhere. If a tool doesn't allow me to articulate specific locations for each individual package, then that tool is functionally not a package management tool. In this sense, if pip moves forward with deprecating dependency links, pip would become some sort of tool that is not a package management tool.

Even more, to stay relevant with growing multiplicity of ways to describe and manage packages (different source control sources, conda recipes), pip should be _extending_ features and support for dependency links and _adding_ more features for this type of use case, not taking them away or limiting them.

PEP 508 has an example of how URL based requirements are to be located... https://www.python.org/dev/peps/pep-0508/#examples

pip @ https://github.com/pypa/pip/archive/1.3.1.zip#sha1=da9234ee9982d4bbb3c72346a6de940a148ea686

Support for this will land as a part of pip 10; as #4175 has merged.

so... what do we do now? How do I specify a git repo as a pip dependency (install_requires in setup.py)? For example when a project hasn't updated their pypy package, but code on github works!?

If you have a URL for a specific sdist that you want to install, use a URL link to that sdist (but to be clear, it needs to be a static URL that contains a specific version - pointing at "master" won't work as there's no way pip can know when master gets updated).

If you want to use the dependency_links feature that allows a project to direct pip to essentially search an arbitrary page on the web, scraping it for potential files to install, then that feature is no longer available (as it's a significant security risk in its general form). You should host the files you want to search on a private filesystem or index, and point pip at it via --find-links or --extra-index-url.

For posterity, with github you can ask for a tarball for some ref

    install_requires = [
        'somerepo @ https://api.github.com/repos/User/somerepo/tarball/v0.1.1',
    ],

For posterity, with github you can ask for a tarball for some ref

    install_requires = [
        'somerepo @ https://api.github.com/repos/User/somerepo/tarball/v0.1.1',
    ],

Crazy, but this works like a charm even if the link you are providing is not on Github.

Unfortunately the "install_requires" hack is useless for the main reason people would want to use it- for private repositories.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.