How to protect yourself from package disappearance on pip?

Question

We heavily use virtualenv and pip in our build system to isolate our Python deliveries. Everything is fully automated and was working fine until now.

A couple of days ago, an issue appeared: an indirect dependency was moved to a private bitbucket repository, and pip started to prompt for a login/password. Which was dramatic for continuous integration tools... And at some point, the very same dependency was removed from pypi, so we could no longer install our environment.

In a couple of words, pip started to prompt for a user/password, which was quickly a pain (all automated tools were hanging forever...). And since today, it simply fails.

I was wondering how to have something more reliable. As I guess anyone can remove a package from pypi, it is not safe to fully rely on it, right ? I was using a cache and thought that would be enough, but apparently it always try to connect to the internet to check the package existence.

What is recommanded here ? Should I download everything manually, and only refer to local path via the variable "dependency_links" in my setup.py ? Or is there something smarter ?

Thanks ! Emmanuel

Answer 1

In reality, there is a more severe danger: pip downloads packages via plain HTTP, end even if you force it to use HTTPS, it can not check id the certificate is valid (since Python stdlib does not have the functionality either). That is someone in the middle can mask the expected package with something that you will readily install (sometimes with sudo). That's why in production environment it is anyway a good idea to install only separately downloaded and already checked packages.