could pip-compile package require pip-tools

[graingert]

moved from https://github.com/jazzband/pip-tools/issues/1000

[atugushev]

@graingert

I can't find a way to depend on a package (pip-tools) so that package is installed and error the installation such that the current package (pip-compile) does not stay installed. Eg I want to prevent pip-compile ever being added to a install_requires or pinned into a requirements.txt

That's a trade-off, there is no way to prevent pip-compile from installing. But it's fine by me as long as pip-tools would be installed either.

What do you think?

[atugushev]

Probable worth throwing a warning about pip install pip-tools also.

[graingert]

@atugushev pip hides the console output of successfully installed packages

[atugushev]

pip hides the console output of successfully installed packages

yeah, right...

[jezdez]

Hey folks, I just noticed that this project exists and that this is probably there to prevent someone releasing a pip-compile package with a malicious payload, right @graingert?

I'd like to add @vphilippon and @davidovich as project leads in addition to @atugushev to the discussion since I believe a better fix would be to block the project on PyPI directly using its block list feature.

@ewdurbin Could you advise how to add pip-compile and pip-sync as blocked names to PyPI please?

[ewdurbin]

For the time being, pip-sync has been added to the prohibited names, as there was no project registered with that name. This can be changed if another decision is reached by the maintainers of pip-tools.

If @graingert is OK with the removal of the pip-compile project and confirms that here, pip-compile can be similarly removed and prohibited from registration. If @graingert does not consent, you'd need to file a PEP 541 request here.

[graingert]

@ewdurbin can you make it so the project page HTTP redirects to pip-compile?

[graingert]

Hey folks, I just noticed that this project exists and that this is probably there to prevent someone releasing a pip-compile package with a malicious payload, right @graingert?

Yes and also because people were finding that "pip-tools" doesn't exist and giving up

[ewdurbin]

@ewdurbin can you make it so the project page HTTP redirects to pip-compile?

Unfortunately no, PyPI does not support these kinds of redirects at this time.

[graingert]

@ewdurbin https://github.com/pypa/warehouse/issues/7840

[jezdez]

@ewdurbin Thanks for the help, I've opened https://github.com/pypa/pypi-support/issues/336 to have a papertrail for this transfer.

[ewdurbin]

okay, pip-compile has similarly been removed and prohibited from re-registration per https://github.com/pypa/pypi-support/issues/336#issuecomment-618411159.