From d477ae6c5cfffc44c56717767fb71d48bc8c5746 Mon Sep 17 00:00:00 2001
From: Erik Rose <erik@mozilla.com>
Date: Thu, 8 Oct 2015 00:36:14 -0400
Subject: [PATCH] Add warning about `python setup.py install`.

---
 docs/reference/pip_install.rst | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/reference/pip_install.rst b/docs/reference/pip_install.rst
index 61eda8f65..99f199f69 100644
--- a/docs/reference/pip_install.rst
+++ b/docs/reference/pip_install.rst
@@ -515,6 +515,17 @@ strategies <Repeatability>` is available in the User Guide.
     such a package, see :ref:`Controlling
     setup_requires<controlling-setup-requires>`.
 
+.. warning::
+    Be careful not to nullify all your security work when you install your
+    actual project. If you call ``python setup.py install`` after installing
+    your requirements, setuptools will happily go out and download, unchecked,
+    anything you missed in your requirements file—and it’s easy to miss things
+    as your project evolves. One way to be safe is to pack up your project and
+    then install that using pip and :ref:`--no-deps <install_--no-deps>`::
+
+        python setup.py sdist
+        pip install --no-deps dist/yourproject-1.0.tar.gz
+
 
 Hashes from PyPI
 ~~~~~~~~~~~~~~~~