McSinyx
/
pip
mirror of https://github.com/pypa/pip
1
1
Fork 0
Code Issues Releases Activity

Add warning about `python setup.py install`.

This commit is contained in:
Erik Rose 2015-10-08 00:36:14 -04:00
parent 09008bf190
commit d477ae6c5c
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/reference/pip_install.rst
View File

@ -515,6 +515,17 @@ strategies <Repeatability>` is available in the User Guide.
such a package, see :ref:`Controlling
setup_requires<controlling-setup-requires>`.
.. warning::
Be careful not to nullify all your security work when you install your
actual project. If you call ``python setup.py install`` after installing
your requirements, setuptools will happily go out and download, unchecked,
anything you missed in your requirements file—and its easy to miss things
as your project evolves. One way to be safe is to pack up your project and
then install that using pip and :ref:`--no-deps <install_--no-deps>`::
python setup.py sdist
pip install --no-deps dist/yourproject-1.0.tar.gz
Hashes from PyPI
~~~~~~~~~~~~~~~~