find-links should override allow-hosts - avoid allowing all of "github.com"

[ghost]

Originally reported by: lrowe (Bitbucket: lrowe, GitHub: lrowe)

---

I like to restrict installation to pypi, but sometimes I need to use a particular tag tarball from a personal fork of a package. Currently that requires adding "github.com" to allow-hosts, which is far too broad.

It looks like this could be achieved by populating a set of always allowed urls in add_find_links which would be okayed by url_ok regardless of the configured allowed hosts (as 'file' scheme urls are.)

(I'm using buildout, but digging into the code it looks like the underlying issue is from setuptools.)

---

• Bitbucket: https://bitbucket.org/pypa/setuptools/issue/133

[ghost]

Original comment by mgedmin (Bitbucket: mgedmin, GitHub: mgedmin):

---

Can you clarify if you're talking about --find-links on the easy_install command line/find-links= in buildout.cfg, or about setup(find_links=...), or both?

I use allow-hosts specifically to disable random setup.py files arbitrarily specifying other package sources with find_links. (I don't see any other reason for even having allow-hosts.)

Now --find-links on the command line or in buildout.cfg, I don't think I would mind those overriding allow-hosts.

[ghost]

Original comment by lrowe (Bitbucket: lrowe, GitHub: lrowe):

---

Only easy-install's --find-links and buildout's find-links, not the project level find_links.

[abravalheri]

Hello, I suppose we can close this issue now that easy_install and the direct usage of python setup.py install have been deprecated and widely replace by other installation means, such as pypa/pip.

If anyone would like to reopen this issue, please feel free to write a new comment with more information or other use cases that we might be missing 😄.