Skip to content

Commit

Permalink
This forces pip (when run with the --process-dependency-links flag) to
Browse files Browse the repository at this point in the history 
install sslyze from the master branch on GitHub.  No version of sslyze
in PyPI currently has the cryptography version fix from
@egyptiankarim, so we are forced to do this in order to get pshtt and
domain-scan to play nicely together.  (domain-scan needs the newer
version of cryptography.)
  • Loading branch information
@jsf9k
jsf9k committed Dec 7, 2017
1 parent 4e9505d commit 0a1c2c0
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion setup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@

install_requires=[
'requests>=2.18.4',
'sslyze>=1.1.0',
'sslyze>=1.2.1',
'wget>=3.2',
'docopt',
'pytablereader',
Expand All @@ -76,6 +76,10 @@
],
},

dependency_links=[
'git+https://github.com/nabla-c0d3/sslyze.git#egg=sslyze-1.2.1'
],

# Conveniently allows one to run the CLI tool as `pshtt`
entry_points={
'console_scripts': [
Expand Down

7 comments on commit 0a1c2c0

@egyptiankarim
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea of linking to source for our develop branch for sure! Feels very cutting edge :)

For the master branch, though, I'm thinking we take a more conservative "operational" approach and just version pin to the latest known working version from PyPI. What does the team think? I'm going to make a quick pull with how I hacked setup.py for my personal use.

@jsf9k
Copy link
Member Author

@jsf9k jsf9k commented on 0a1c2c0 Dec 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my case I have no choice but to link to the source, since I need to install domain-scan and pshtt in the same Docker container.

Note that I give the git version of the code a slightly higher version that what is in PyPI. I don't like this, but when I tried with 1.2.0beta and the like pip still installed 1.2.0 from PyPI. Is there a better version string I could use? Maybe @konklone or @IanLee1521 have some insight into this question too.

@egyptiankarim
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jsf9k yeah, I don't know how that tagging works exactly, but I guess it always looks for PyPI first regardless of pointers to source. Thanks for putting this together, actually, it gave me some needed insight into how this whole dependency pipeline works in Python. Very useful!

@IanLee1521
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, when I look at sslyze, I don't see a version 1.2.1 available in either PyPI (https://pypi.python.org/pypi/SSLyze) nor in GitHub (https://github.com/nabla-c0d3/sslyze/releases).

@jsf9k -- Are you trying to pull in the latest upstream from GitHub? Not sure I understand what you're trying to do.

In general, in order to install a dev/alpha/beta version of a code with pip, you need to use the --pre flag (https://pip.pypa.io/en/stable/reference/pip_install/#pre-release-versions)

@jsf9k
Copy link
Member Author

@jsf9k jsf9k commented on 0a1c2c0 Dec 8, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@IanLee1521 I was forcing pip to pull sslyze from GitHub instead of PyPI, since there is a change in the repo that hasn't yet propagated to PyPI.

@IanLee1521
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on: pypa/pip#3610 (comment) I think you want:

'git+https://github.com/nabla-c0d3/sslyze.git@master#egg=sslyze-1.2.1-dev'

E.g. adding the ...@master... in the middle.

@jsf9k
Copy link
Member Author

@jsf9k jsf9k commented on 0a1c2c0 Dec 10, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@IanLee1521, the @master isn't required if you're using the default branch. In any case, I ended up installing sslyze using pip install git+https://github.com/nabla-c0d3/sslyze.git and then installing domain-scan and pshtt. That way pip doesn't pull sslyze from PyPI.

Please sign in to comment.