API to customise file downloading

[ghost]

Originally reported by: wichert (Bitbucket: wichert, GitHub: wichert)

---

There are valid reasons for customising how URLs are loaded. For example lovely.buildouthttp does this to support authentication for private servers. zc.buildoutsftp has a similar need.

Since setuptools does not expose an API for this those tools try to do this by replacing the URL opener setuptools uses, but this is fragile and causes breakage when setuptools internals change. Ticket #61 is an example of this. It would be useful if setuptools had an API that makes it possible to hook into the URL downloading process to make this more flexible.

---

• Bitbucket: https://bitbucket.org/pypa/setuptools/issue/149

[silkentrance]

This might be a major security issue as files might be downloaded from untrusted sources, without the user's consent, especially in automated build environments.

I strongly object to such a feature unless it can be made secure, especially in a headless, automated build environment.

[pganssle]

I don't think allowing people to do insecure things is the same as a security issue, but regardless of that, I believe that easy_install is the only part of setuptools that hits the internet, and it's deprecated in favor of pip, so I don't think there's any reason to do this.

[abravalheri]

Hello, I think we can safely close this issue, right?

easy_install has been deprecated for a while now and vastly replaced by pip (and the internal mechanisms pypa/build uses to bootstrap the isolated build environment).

If anyone would like to revisit this topic with more information or a specific use case, please feel free to post a comment bellow so we can re-open the issue if necessary.