11

Recent versions of pip installer hasn’t installed packages that do not upload their package files to PyPI unless the user explicitly provide --allow-external option (related answer).

I want to distribute my package that depend on such library like dirspec. Currently I have to tell users of my package to install my package by the following command:

$ pip install --allow-external dirspec MyPackage

It becomes more problematic when it comes to library packaging. If my package is a library I also have to tell authors of packages that depend on my package to tell their users to install their package by the following command:

$ pip install --allow-external dirspec TheirPackage

Is there any workaround to avoid this situtation?

Community
  • 1
  • 1
minhee
  • 5,688
  • 5
  • 43
  • 81

2 Answers2

6

You are asking for workaround of security feature. Installing from external site without my knowledge could be considered harmful.

There might be alternative solution: either rely on pip complaining about required package being not reachable without that switch, or trying to give such an instruction from your installation code. However, the second approach would fail, if you really declare dependency on such package, as pip would try first installing the external one, thus not giving your setup.py a chance to say anything. You would have to make your package independent on it and print out from setup.py an instruction to install some package from external site. This sounds even more complicated.

I would assume, that such situation (being dependent on external package) will be popular enough, that pip will take care about giving enough instructive hint how to resolve such dependency.

EDIT: Testing installation with current version of pip (1.5.4) shows, that there is such hint proposing to use a switch --use-external printed.

$ pip install gitlle
Downloading/unpacking gittle
.....
Downloading/unpacking mimer (from gittle)
  Could not find any downloads that satisfy the requirement mimer (from gittle)
  Some externally hosted files were ignored (use --allow-external mimer to allow).
Cleaning up...
Jan Vlcinsky
  • 42,725
  • 12
  • 101
  • 98
  • 1
    --allow-external is not a security workaround—`pip` will still check the checksum of the external download with the one securely acquired from pypi. If, on the other hand, OP asked for a workaround for --allow-unverified, then it would indeed by a security issue. See this question: http://stackoverflow.com/q/21021326/42610 – liori Sep 01 '14 at 20:44
5

The right thing to do is include the requirements in your tarball or in a mega-tarball containing their projects and yours. Then pip will happily install from the local files.

Sean Perry
  • 3,776
  • 1
  • 19
  • 31