As per [their blog post of the 27th April](https://blog.readthedocs.com/securing-subdomains/) ‘Securing subdomains’:
> Starting today, Read the Docs will start hosting projects from subdomains on the domain readthedocs.io, instead of on readthedocs.org. This change addresses some security concerns around site cookies while hosting user generated data on the same domain as our dashboard.
Test Plan: Manually visited all the links I’ve modified.
The docs currently show passing a package's hash(es) in the form of
``--hash:sha256=...``. When trying to install something using this
format, pip fails with the error ``pip: error: no such option:
--hash:sha256``. This should be changed to match the output of ``pip
hash``.
Removed the mention of "package index options" in the docs, because they don't all fit that category anymore. Not even --no-binary and --only-binary do; they're "install options".
This would occur when, for example, installing from a requirements file that references a certain hashed sdist, a common situation.
As of pip 7, pip always tries to build a wheel for each requirement (if one wasn't provided directly) and installs from that. The way this was implemented, InstallRequirement.link pointed to the cached wheel, which obviously had a different hash than the index-sourced archive, so spurious mismatch errors would result.
Now we no longer read from the wheel cache in hash-checking mode.
Make populate_link(), rather than the `link` setter, responsible for mapping InstallRequirement.link to a cached wheel. populate_link() isn't called until until prepare_files(). At that point, when we've examined all InstallRequirements and their potential --hash options, we know whether we should be requiring hashes and thus whether to use the wheel cache at all.
The only place that sets InstallRequirement.link other than InstallRequirement itself is pip.wheel, which does so long after hashes have been checked, when it's unpacking the wheel it just built, so it won't cause spurious hash mismatches.
setuptools.package_index.local_open is used for file: URLs, and only
handles directories if the URL ends with a slash. Add the trailing
slash to pip's documentation to reduce confusion.
We don't need to talk about the network, since HTTPS should ensure transmission integrity. We do need to watch out for the CA chain. Stop mentioning the CDN because it's a deep hole: we might as well mention Rackspace and Amazon and who knows who else.
`pip download` has the same functionality as `pip install --download`,
and the behavior of `pip install --download` is preserved with a deprecation
warning. `pip install --download` will be removed in pip version 10.
packages". With pip's index caching, and wheel caching, the motivation
to find a way to speed up pip is not as pressing anymore, although it is
still true that people may need a local-only install for certain cases.
- a new subsection for the get-pip options
(which now mentions --no-wheel and --no-setuptools)
- explain that get-pip.py installs setuptools and wheel, and why.
- mention support for Python3.5
This adds constraints files. Like requirements files constraints files
control what version of a package is installed, but unlike
requirements files this doesn't itself choose to install the package.
This allows things that aren't explicitly desired to be constrained if
and only if they are installed.
We're actually pinning down a fairly specific grammar now, so lets
make it official. All options are at the end, and only options get
quoting. I've also tweaked some of the existing examples to make the
existing grammar features (that I know people use) clearer - like
spaces between requirements and version specifiers.
With wheel autobuilding in place a release blocker is some granular
way to opt-out of wheels for known-bad packages. This patch introduces
two new options: --no-binary and --only-binary to control what
archives we are willing to use on both a global and per-package basis.
This also closes#2084
Building wheels before installing elminates a cause of broken environments -
where install fails after we've already installed one or more packages.
If a package fails to wheel, we run setup.py install as normally.
This allows lines such as the following to exist in requirements files:
INITools==0.2 --install-options="--prefix=/opt"
virtualenv>=1 --global-options="--no-user-cfg"
In addition, the requirements file parser was overhauled with simplicity
and clarity in mind.
This is needed for setup-requires, since without it its possible
to cause installation to fail in sort-circuit scenarios such as
the added functional test case demonstrates.
using object that have the same name as submodules as the weird effect
of makeing `import pip.commands.<something> as <anothername>` fail with
a key error. This fixes it by renamin commands as command_dict and fixin
a few imports to accomodate.
Related to #2149
It's now possible to specify requirements markers in requirements.
Examples::
futures; python_version < '2.7'
mock; python_version < '3.3'
nose
ordereddict; python_version < '2.7'
unittest2; python_version < '2.7'
The separator is "; ". For convinience, ";" alone is also supported, but
no in URLs. The ";" character is a legit and common character in an URL.
Example of valid URL without markers::
http://foo.com/?p=bar.git;a=snapshot;h=v0.1;sf=tgz
Example of URL with markers::
http://foo.com/?p=bar.git;a=snapshot;h=v0.1;sf=tgz; python_version < '3.3'
* add site_config_dirs() to appdirs to determine locations across OSes
* add system_config_files to locations.py
* add system_config_files to get_config_files() and re-order files entries to correct precedence
* document changes to configuration files in user guide
Closes#309
If you use single or double quotes in a `requirements.txt` file, pip exits with an error. This change clarifies that single or double quotes should only be used in the shell.
* Deprecates the --download-cache option & removes the download
cache code.
* Removes the in memory page cache on the index
* Uses CacheControl to cache all cacheable HTTP requests to the
filesystem.
* Properly handles CacheControl headers for unconditional
caching.
* Will use ETag and Last-Modified headers to attempt to do a
conditional HTTP request to speed up cache misses and turn
them into cache hits.
* Removes some concurrency unsafe code in the download cache
accesses.
* Uses a Cache-Control request header to limit the maximum
length of time a cache is valid for.
* Adds pip.appdirs to handle platform specific application
directories such as cache, config, data, etc.
Connor Osborn
Patrick Lawson
Xavier Fernandez
Xavier Fernandez
Ian Lee
memoselyk
Paul Moore
Adam Chainz
Pekka Klärck
Douglas Thor
gdanielson
ryneeverett
Cory Wright
Donald Stufft
Tony Zhaocheng Tan
Stéphane Bidoul (ACSONE)
jwg4
Anton Ovchinnikov
Jon Banafato
Cass
Christopher Snyder
Emil Styrke
Matt Iversen
anatoly techtonik
Ville Skyttä
Marcus Smith
Erik Rose
Colin Watson
James Firth
Mathew Jennings
tim smith
Kit Randel
Michael Klich
Joost Molenaar
Robert Collins
Razzi Abuissa
Mark Kohler
Georgi Valkov
Eric Hanchrow
Kyle Persohn
Bence Nagy
Marc Abramowitz
Bussonnier Matthias
Jan Pokorný
jarondl
Victor Stinner
Chris Jerdonek
Richard Jones
patricktokeeffe
Jyrki Pulliainen
David Wales