为什么不赞成使用setup.py中的依赖关系链接? [英] Why is dependency links in setup.py deprecated?
问题描述
有很多人想知道setup.py
中的依赖项链接的替代方法(通过pip标志--process-dependency-links
激活):取决于setup.py中的git存储库.基本上,我被弃用警告所咬伤:
There are quite a few people wondering for an alternative to dependency links in the setup.py
(activated with the pip flag --process-dependency-links
): What is the alternative to using --process-dependency-links with pip,
Depend on git repository in setup.py. Basically, I got bitten by the deprecation warning:
"DEPRECATION: Dependency Links processing has been deprecated and will be removed in a future release."
有人建议使用requirements.txt
,但是这不是替代选择,因为它意在提供整个环境,通常与开发相关. install_requires
应该提供一种使用标准功能所需的最低限度的库集,以便在执行pip install [LIBRARY]
之类的操作时,不需要的任何pip install -r requirements.txt
都将安装所需的所有内容(我是指的是pip install [LIBRARY]
的LIBRARY参数将以类似git+http:\\github.com\username\repo.git
的URL的形式出现的情况.
Some people have suggested using requirements.txt
, however that is not an alternative as it is meant to provide an entire environment, usually more associated with development. The install_requires
is supposed to provide a sort of minimum set of libraries that are necessary to work with the standard functionality, so that when you do something like pip install [LIBRARY]
, everything needed is installed, without any further pip install -r requirements.txt
(I am referring to cases in which the LIBRARY paramater of pip install [LIBRARY]
would come in the form of a URL like git+http:\\github.com\username\repo.git
).
我不赞成使用的问题是我无法引用内部/私有软件包,但是我还可以看到,如果需要在git中引用特定的提交或分支,这怎么可能是个问题(至少我知道我已经做过了)过去).
My issue with the deprecation is that I cannot reference internal/private packages, but I can also see how this could be a problem if it is required to reference a particular commit or branch in git (at least I know I had done this in the past).
总而言之,dependency_links的使用很复杂,例如语法并不总是很清楚,有几种指定url的方法,人们往往会忘记必须将库的名称版本放在dependency_links
和install_requires
列表中.我想听听这种弃用是有利于改进的,但事实并非如此
All that said, the use of dependency_links is complicated, e.g. the syntaxis is not always clear, there exist several ways of specifying urls, and people tend to forget that they have to put the name-version of the library in both the dependency_links
and the install_requires
lists. I would like to hear that this deprecation is in favor of an improvement, but doesn't seem to be the case
因此,总而言之,不赞成使用依赖关系链接的原因是什么??不赞成使用依赖关系链接,而不是使用更好的替代方法吗?似乎没有其他选择
So, to summarize, what is the reason for deprecating dependency links? Is the deprecation of dependency links in favour of a better alternative? It doesn't seem that there is an alternative
推荐答案
PEP 508 URL依赖关系是依赖关系链接的替代方法.您可以在我的相关答案中找到有关的更多详细信息.
PEP 508 URL dependencies are the alternative for dependency-links. You can find more details about that in my related answer.
不赞成依赖关系链接的原因是什么?
What is the reason for deprecating dependency links?
安全性.启用依赖关系链接后,就可以通过pip从Internet上获取任意URL并从中运行代码,这显然不是一个好主意.
Security. When dependency links are enabled, pip can be made to fetch arbitrary URLs from the internet and run code from them -- something that is obviously not a good idea.
You can read more about it in the original thread proposing this: https://mail.python.org/pipermail/distutils-sig/2013-October/022937.html
这篇关于为什么不赞成使用setup.py中的依赖关系链接?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!