We started trying to locate the system trust stores, because
downstream was patching out our bundled copies anyways and it would
provide a smoother experience when people upgraded their pip inside
of their system.
However, if we just use OpenSSL's CAFile then we're broken on systems
like Debian which currently ship a broken CAFile configuration. If
we just use OpenSSL's CAPath then we're broken on systems like CentOS
and Fedora that currently are shipping a broken OpenSSL CAPath.
So basically, none of the major distributions seem to be capable of
shipping an OpenSSL that isn't broken, so we're going back to relying
on our own CA bundle exclusively.
It's unlikely that we're going to need any changes in pip itself
to support linux enabled wheels except for maybe a more specific
platform tag. If a more specific platform tag is needed then older
pip's won't install that anyways. This should allow experimentation
with some possible solutions to linux enabled wheels.
This guards against the possibility of a weaker hash being added to hashlib in the future. Also give _good_hashes() a more descriptive name, and describe what we mean by "strong".
We can get away with returning a static list because those algorithms are guaranteed present in hashlib.
Those commands already checked hashes, since they use RequirementSet, where the hash-checking is done.
Reorder some options so pre, no-clean, and require-hashes are always in the same order.
dstufft is nervous about blowing a single-char option on something that will usually be copied and pasted anyway. We can always put it back later if it proves to be a pain.
We purposely keep it off the CLI for now. optparse isn't really geared to expose interspersed args and options, so a more heavy-handed approach will be necessary to support things like `pip install SomePackage --sha256=abcdef... OtherPackage --sha256=012345...`.
`pip download` has the same functionality as `pip install --download`,
and the behavior of `pip install --download` is preserved with a deprecation
warning. `pip install --download` will be removed in pip version 10.
This adds constraints files. Like requirements files constraints files
control what version of a package is installed, but unlike
requirements files this doesn't itself choose to install the package.
This allows things that aren't explicitly desired to be constrained if
and only if they are installed.
Using --install-options, --build-options, --global-options changes
the way that setup.py behaves, and isn't honoured by the wheel code.
The new wheel autobuilding code made this very obvious - disable
the use of wheels when these options are supplied.
With wheel autobuilding in place a release blocker is some granular
way to opt-out of wheels for known-bad packages. This patch introduces
two new options: --no-binary and --only-binary to control what
archives we are willing to use on both a global and per-package basis.
This also closes#2084
two major changes:
1) re-use the optparse options in pip.cmdoptions instead of maintaining
a custom parser
2) as a result of #1, simplify the call stack
from: parse_requirements -> parse_content -> parse_line
to: parse_requirements -> process_line
beyond #1/#2, minor cosmetics and adjusting the tests to match
This class just existed to let us call something later, which is
exactly what partial does for trivial cases. Because of mutable
default parameters actual functions are needed sometimes, but
I think on balance its an improvement.
by creating a PyPI object
Before:
$ ag --ignore=_vendor 'pypi.python.org' pip
pip/cmdoptions.py
195: default='https://pypi.python.org/simple/',
pip/commands/search.py
33: default='https://pypi.python.org/pypi',
pip/index.py
305: if page is None and 'pypi.python.org' not in str(main_index_url):
706: ).netloc.endswith("pypi.python.org")):
pip/utils/outdated.py
107: "https://pypi.python.org/pypi/pip/json",
After:
$ ag --ignore=_vendor 'pypi.python.org' pip
pip/index.py
77:PyPI = Index(url='https://pypi.python.org/', trusted=True)
* Deprecates accessing non secure origins by default, the list of
which is taken from Chrome.
* Adds a --trusted-host flag to enable users to mark a specific
host as a secure origin regardless of what we think.
* Refactors the original warning to better indicate the intent
and the new flag.
* Deprecates the --download-cache option & removes the download
cache code.
* Removes the in memory page cache on the index
* Uses CacheControl to cache all cacheable HTTP requests to the
filesystem.
* Properly handles CacheControl headers for unconditional
caching.
* Will use ETag and Last-Modified headers to attempt to do a
conditional HTTP request to speed up cache misses and turn
them into cache hits.
* Removes some concurrency unsafe code in the download cache
accesses.
* Uses a Cache-Control request header to limit the maximum
length of time a cache is valid for.
* Adds pip.appdirs to handle platform specific application
directories such as cache, config, data, etc.
Add a 'retry' option which allows to configure how many
retries pip should make before giving up on HTTP request.
When the retries count is specified by user, its value is
passed to HTTPAdapter from requests which handles all
the underlying operations.