Merge pull request #985 from pypa/ignore-external-and-unsafe-urls

Ignore external and unsafe urls aka PEP438

Author: dstufft

docs/logic.rst

@@ -81,6 +81,33 @@ installing pre-releases and development releases.
 
 .. _PEP426: http://www.python.org/dev/peps/pep-0426
 
+.. _`Externally Hosted Files`:
+
+Externally Hosted Files
+=======================
+
+Starting with v1.4, pip will warn about installing any file that does not come
+from the primary index. In future versions pip will default to ignoring these
+files unless asked to consider them.
+
+The ``pip install`` command supports a
+:ref:`--allow-external PROJECT <--allow-external>` option that will enable
+installing links that are linked directly from the simple index but to an
+external host that also have a supported hash fragment. Externally hosted
+files for all projects may be enabled using the
+:ref:`--allow-all-external <--allow-all-external>` flag to the ``pip install``
+command.
+
+The ``pip install`` command also supports a
+:ref:`--allow-insecure PROJECT <--allow-insecure>` option that will enable
+installing insecurely linked files. These are either directly linked (as above)
+files without a hash, or files that are linked from either the home page or the
+download url of a package.
+
+In order to get the future behavior in v1.4 the ``pip install`` command
+supports a :ref:`--no-allow-external <--no-allow-external>` and
+:ref:`--no-allow-insecure <--no-allow-external>` flags.
+
 .. _`VCS Support`:
 
 VCS Support

pip/cmdoptions.py

@@ -63,6 +63,48 @@ def make_option_group(group, parser):
     default=[],
     help='Specific mirror URLs to query when --use-mirrors is used.')
 
+allow_external = make_option(
+    "--allow-external",
+    dest="allow_external",
+    action="append",
+    default=[],
+    metavar="PACKAGE",
+    help="Allow the installation of externally hosted files",
+)
+
+allow_all_external = make_option(
+    "--allow-all-external",
+    dest="allow_all_external",
+    action="store_true",
+    default=True,  # TODO: Change to False after 1.4 has been released
+    help="Allow the installation of all externally hosted files",
+)
+
+# TODO: NOOP after 1.4 has been released
+no_allow_external = make_option(
+    "--no-allow-external",
+    dest="allow_all_external",
+    action="store_false",
+    help="Disallow the installation of all externally hosted files",
+)
+
+allow_unsafe = make_option(
+    "--allow-insecure",
+    dest="allow_insecure",
+    action="append",
+    default=[],
+    metavar="PACKAGE",
+    help="Allow the installation of insecure and unverifiable files",
+)
+
+no_allow_unsafe = make_option(
+    "--no-allow-insecure",
+    dest="allow_all_insecure",
+    action="store_false",
+    default=True,
+    help="Disallow the installation of insecure and unverifiable files"
+)
+
 requirements = make_option(
     '-r', '--requirement',
     dest='requirements',
@@ -138,6 +180,11 @@ def make_option_group(group, parser):
         no_index,
         find_links,
         use_mirrors,
-        mirrors
+        mirrors,
+        allow_external,
+        allow_all_external,
+        no_allow_external,
+        allow_unsafe,
+        no_allow_unsafe,
         ]
     }

pip/commands/install.py

@@ -162,7 +162,12 @@ def _build_package_finder(self, options, index_urls):
                              index_urls=index_urls,
                              use_mirrors=options.use_mirrors,
                              mirrors=options.mirrors,
-                             use_wheel=options.use_wheel)
+                             use_wheel=options.use_wheel,
+                             allow_external=options.allow_external,
+                             allow_insecure=options.allow_insecure,
+                             allow_all_external=options.allow_all_external,
+                             allow_all_insecure=options.allow_all_insecure,
+                            )
 
     def run(self, options, args):
         if options.download_dir: