search

d0c-s4vage / pipless

Simplifies the Python dev lifecycle by automagically: creating virtualenvs, installing packages, generating requirements
MIT License
5 stars 0 forks source link

package search with pypi fails when package name doesn't match install name #5

Open d0c-s4vage opened 8 years ago

d0c-s4vage commented 8 years ago

E.g. pip install Flask vs import flask

d0c-s4vage commented 8 years ago

After a lot of research, there just isn't a reliable way to do this besides exact matches (which even then isn't 100% reliable).

PyPi hosts distributions that can be installed through pip. A distribution can provide zero or more packages, not necessarily even with the same package namespace. E.g. pip install Flask.

You could even have an evil python developer who creates two distributions: malicious_a and malicious_b. The malicious_a distribution could provide a python package malicious_b, and the malicious_b distribution could provide a python package malicious_a. Hopefully neither of those packages would ever become popular.

I should do that just for fun though :^)

d0c-s4vage commented 8 years ago

wonder how long it would take to compile a mapping of the top 10000 python packages to their install names

d0c-s4vage commented 8 years ago

I've decided to compile a mapping of the top 10,000 or 100,000 python packages to included with pipless. It's the only way to be sure when auto-installing packages.

zachriggle commented 8 years ago

PyPi exposes a "provides" field which might work in this scenario, but it requires package maintainers to be diligent and upload a PKG-INFO file.

zachriggle commented 8 years ago

You might also run into issues with conflicting names :(

d0c-s4vage commented 8 years ago

yeah, the "provides" field isn't consistent either. The general consensus, even among the guys who do pypi development, is that you'd have to install it to be 100% sure. If a wheel was available you wouldn't have to fully install though.

zachriggle commented 8 years ago

I feel like that's a major failure of the entire system. "You have to give me code execution to be sure." On Wed, Oct 12, 2016 at 9:56 PM James Johnson notifications@github.com wrote:

yeah, the "provides" field isn't consistent either. The general consensus, even among the guys who do pypi development, is that you'd have to install it to be 100% sure. If a wheel was available you wouldn't have to fully install though.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/d0c-s4vage/pipless/issues/5#issuecomment-253414468, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG0GErp60uTvHdKsLfvKOBTwewYFILEks5qzboIgaJpZM4JyN02 .

d0c-s4vage commented 7 years ago

Perhaps use pipreqs to resolve version numbers?