Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This forces pip (when run with the --process-dependency-links flag) to
install sslyze from the master branch on GitHub. No version of sslyze in PyPI currently has the cryptography version fix from @egyptiankarim, so we are forced to do this in order to get pshtt and domain-scan to play nicely together. (domain-scan needs the newer version of cryptography.)
- Loading branch information
0a1c2c0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea of linking to source for our develop branch for sure! Feels very cutting edge :)
For the master branch, though, I'm thinking we take a more conservative "operational" approach and just version pin to the latest known working version from PyPI. What does the team think? I'm going to make a quick pull with how I hacked
setup.py
for my personal use.0a1c2c0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my case I have no choice but to link to the source, since I need to install
domain-scan
andpshtt
in the same Docker container.Note that I give the git version of the code a slightly higher version that what is in PyPI. I don't like this, but when I tried with
1.2.0beta
and the likepip
still installed1.2.0
from PyPI. Is there a better version string I could use? Maybe @konklone or @IanLee1521 have some insight into this question too.0a1c2c0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jsf9k yeah, I don't know how that tagging works exactly, but I guess it always looks for PyPI first regardless of pointers to source. Thanks for putting this together, actually, it gave me some needed insight into how this whole dependency pipeline works in Python. Very useful!
0a1c2c0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, when I look at sslyze, I don't see a version 1.2.1 available in either PyPI (https://pypi.python.org/pypi/SSLyze) nor in GitHub (https://github.com/nabla-c0d3/sslyze/releases).
@jsf9k -- Are you trying to pull in the latest upstream from GitHub? Not sure I understand what you're trying to do.
In general, in order to install a dev/alpha/beta version of a code with pip, you need to use the
--pre
flag (https://pip.pypa.io/en/stable/reference/pip_install/#pre-release-versions)0a1c2c0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@IanLee1521 I was forcing
pip
to pullsslyze
from GitHub instead of PyPI, since there is a change in the repo that hasn't yet propagated to PyPI.0a1c2c0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on: pypa/pip#3610 (comment) I think you want:
E.g. adding the
...@master...
in the middle.0a1c2c0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@IanLee1521, the
@master
isn't required if you're using the default branch. In any case, I ended up installingsslyze
usingpip install git+https://github.com/nabla-c0d3/sslyze.git
and then installingdomain-scan
andpshtt
. That waypip
doesn't pullsslyze
from PyPI.