Pip: Dependency links in pip 1.6

Generally you should use a requirements.txt file, however we've decided not to remove the --process-dependency-links flag in 1.6 but will remove it in a future version.

+1 -- private package deployment needs dependency links, requirements.txt are a bad replacement as they remove the self-description of a package. thanks for keeping it in for the time being.

@miraculixx I like the way NPM manages dependencies and I'll be glad to see something like this in PIP.

+1

What I don't understand is how requirements.txt is considered a replacement for dependency_links? Dependency_links allows me to do "pip install git+ssh:..." and it automatically installs all dependencies, from PyPI or my own Git repositories. With requirements this becomes a much more involved process: git clone, cd project, pip install -r requirements.txt, python setup.py install.

Also what is so bad about dependency_links that it needs to go?

The problem with dependency links is that for public packages, like those hosted on PyPI, is that you shouldn't have pip install foo randomly reaching out to different locations on the internet to fetch dependencies from. That's something that should require explicit authorization from the person doing the installation. Which is why we originally deprecated them (and even removed temporarily).

However it came to light that there was an important use case we were missing, namely that of the cases where you have _private_ packages that you want to install, maybe from Git or a personal PyPI or whatever. Since we realizes that we weren't yet well handling that use case we delayed the removal of --process-dependency-links and we've added to PEP 440 the concept of a "direct dependency", which would be used similarly to dependency links. None of the tooling supports these yet, so we haven't yet removed --process-dependency-links, however once the tooling does, we will. A key difference between direct dependencies and dependency links, is because it's part of the new metadata standard there's no legacy of packages on PyPI that have it, so we can just unconditionally allow it in pip, and rely on PyPI rejecting uploads that contain them to prevent them from being used in "public" projects.

So I guess s/direct dependencies/direct references/ in PEP 440, right?

If that mechanism allows me to specify in setup.py of project Foo hosted at git+https://github.com/hannes/Foo the following dependency declaration

setup( install_requires=[ "Bar@git+https://github.com/hannes/Bar@stable", ... ], ...)

then I am happy.

Er, yea, got the terminology wrong. Yes, that's the idea. It doesn't do that _yet_, but that's the goal.

we've added to PEP 440 the concept of a "direct dependencies"

:+1:

Hooray! Thanks for recognizing this need. I've spent my whole morning trying to figure out what I'm supposed to be using other than dependency links, for private packages.