Closed edmorley closed 8 years ago
--allow-unverified
was removed in:
https://github.com/pypa/pip/commit/0f5d4286a5c6fc55832ef4c8c036fdce068cdf3b
Given the behaviour it added ("Allow the installation of a package even if it is hosted in an insecure and unverifiable way") seems undesirable for peep, I would suggest we drop support for it entirely, and not just for pip v8.
https://github.com/erikrose/peep/blob/4215691b9fdcdad7297141976c5dccca26427aa8/peep.py#L365
The security lost by files "hosted in an insecure and unverifiable way" is almost entirely restored by our hash-checking. (The only exception is that your requests aren't encrypted on the wire.) So it's not a total no-brainer. Still, it sure makes pip 8 support easy, and I doubt people are using it much.
Updating to pip v8.0.0 gives me this TypeError with peep v2.5.0.
I know hashing support has been added to pip v8, however if peep supported pip v8, it would make the transition easier, since we could update the pip used first, and only then update our requirements files/{pip,peep} invocations :-)