Open matthewdeanmartin opened 2 years ago
Hi @matthewdeanmartin, thanks for the issue! I think this is probably a duplicate of https://github.com/trailofbits/pip-audit/issues/46, but I'll let you decide.
I considered personally convincing every active package on pypi to publish a wheel and then filing a PEP 541 action on the rest, but I'm limited by my finite lifespan.
You and me both, buddy 🙃
I was also going to xref #46, but I think we can leave this open as a subissue, since it specifically concerns one possible way we can support additional indices (respecting the user's pip.conf
, rather than requiring the user to duplicate all of their index information for both pip
and pip-audit
).
@woodruffw you read my mind. Getting my devs to config pip.conf correctly is challenge enough without teaching them two ways to list the pypi servers and their precedence.
I see the challenge of deciding if package from private server X is problematic but the same package on public pypi is not & vica versa (i.e. guess the names of packages that corps use on their private pypi repos, e.g. apple_corp_python_code
on a private server is good, but on a pypi server it is probably an attempt to hack apple corp)
CC @jleightcap: this is another good one to look at!
Is your feature request related to a problem? Please describe.
I'm trying to use
pip-audit
without ever running setup.py of a package being audited. I have discoveredexport PIP_ONLY_BINARY=:all:
which forces pip to only install if there is a wheel andpip-audit
will respect that. So far so good, but now it will blow up on all packages without wheels.I considered personally convincing every active package on pypi to publish a wheel and then filing a PEP 541 action on the rest, but I'm limited by my finite lifespan.
Fortunately, piwheels has republished everything on pypi in wheel format and accidentally solved this * for me. So I edit ~/pip/pip.conf and add
extra-index-url=https://www.piwheels.org/simple
requirements.txt has only
termcolor==*
That demonstrates that pip-audit respect the 'install only wheels' flag, but doesn't respect the 'download wheels from the only place that has them all' flag, but pip does.
Describe the solution you'd like Do what pip does.
Describe alternatives you've considered PEP 541 against all packages without wheels.
Additional context N/A