Open d0c-s4vage opened 8 years ago
After a lot of research, there just isn't a reliable way to do this besides exact matches (which even then isn't 100% reliable).
PyPi hosts distributions that can be installed through pip
. A distribution can provide zero or more packages, not necessarily even with the same package namespace. E.g. pip install Flask
.
You could even have an evil python developer who creates two distributions: malicious_a
and malicious_b
. The malicious_a
distribution could provide a python package malicious_b
, and the malicious_b
distribution could provide a python package malicious_a
. Hopefully neither of those packages would ever become popular.
I should do that just for fun though :^)
wonder how long it would take to compile a mapping of the top 10000 python packages to their install names
I've decided to compile a mapping of the top 10,000 or 100,000 python packages to included with pipless. It's the only way to be sure when auto-installing packages.
PyPi exposes a "provides" field which might work in this scenario, but it requires package maintainers to be diligent and upload a PKG-INFO file.
You might also run into issues with conflicting names :(
yeah, the "provides" field isn't consistent either. The general consensus, even among the guys who do pypi development, is that you'd have to install it to be 100% sure. If a wheel was available you wouldn't have to fully install though.
I feel like that's a major failure of the entire system. "You have to give me code execution to be sure." On Wed, Oct 12, 2016 at 9:56 PM James Johnson notifications@github.com wrote:
yeah, the "provides" field isn't consistent either. The general consensus, even among the guys who do pypi development, is that you'd have to install it to be 100% sure. If a wheel was available you wouldn't have to fully install though.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/d0c-s4vage/pipless/issues/5#issuecomment-253414468, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG0GErp60uTvHdKsLfvKOBTwewYFILEks5qzboIgaJpZM4JyN02 .
Perhaps use pipreqs to resolve version numbers?
E.g.
pip install Flask
vsimport flask