Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Show deprecation warning against --trusted-host with port part. #6710

Closed
wants to merge 3 commits into from

Conversation

frostming
Copy link
Contributor

Following #6705 #6709

@frostming frostming changed the title Show deprecation warning against --trusted-host with port part. Show deprecation warning against --trusted-host with port part. Jul 14, 2019
@cjerdonek
Copy link
Member

@frostming Does pip’s code support trusting an individual host-port combination without also trusting the host as a whole?

@frostming
Copy link
Contributor Author

@cjerdonek For HTTPS, yes, but HTTP will abort with a warning.

So we should deprecate the usage of a host with a port part.

@cjerdonek
Copy link
Member

So we should deprecate the usage of a host with a port part.

I'm not sure yet. If it's useful, maybe we should be officially supporting that use case, and then update the documentation of --trusted-host to reflect that. Do you have an opinion? Also, maybe one of us can open a new issue, and then I can mark it "discussion needed."

@cjerdonek
Copy link
Member

HTTP will abort with a warning.

Can you show what that abort and warning looks like, btw?

@frostming
Copy link
Contributor Author

frostming commented Aug 16, 2019

@cjerdonek Here it is

$ pip install -i http://localtest.me:5000 urllib3 --trusted-host localtest.me:5000
Looking in indexes: http://localtest.me:5000
Collecting urllib3
  The repository located at localtest.me is not a trusted or secure host and is being ignored. If this repository is available via HTTPS we recommend you use HTTPS instead, otherwise you may silence this warning and allow it anyway with '--trusted-host localtest.me'.
  Could not find a version that satisfies the requirement urllib3 (from versions: )
No matching distribution found for urllib3

I'm not sure yet. If it's useful, maybe we should be officially supporting that use case, and then update the documentation of --trusted-host to reflect that. Do you have an opinion?

I prefer pip to accept both and do corresponding handling.

@frostming
Copy link
Contributor Author

Also, maybe one of us can open a new issue, and then I can mark it "discussion needed."

Sure, I created #6886 to track the discussion.

@cjerdonek
Copy link
Member

Thanks! I noticed, and added some additional info to the ticket.

@frostming
Copy link
Contributor Author

Close this PR in favor of #6909

@frostming frostming closed this Aug 23, 2019
@lock lock bot added the auto-locked Outdated issues that have been locked by automation label Sep 22, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Sep 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
auto-locked Outdated issues that have been locked by automation
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants