pip freeze > requirements.txt no longer creates working requirements file

Question

pip freeze > requirements.txt no longer creates working requirements file

bladeoflight16 opened this issue 11 years ago · 2 comments

With the new security measures that require the use of --allow-external and --allow-unverified, the command

pip freeze > requirements.txt

no longer necessarily generates a working requirements file. Additional arguments outside of the file or hand crafted modifications to the file will be required to install external or unverified packages. This makes generating a usable requirements file much more difficult.

It would be preferable to have some single command that generates an immediately usable requirements file. This would ease upgrades from older versions of pip, especially when a large number of packages are in use. I do not know what the best way to do this would be, but thoughts that come to mind are a new command for generating a requirements file or adding an argument to freeze that optionally includes the required external/unverified arguments.

I do realize such a feature might in some cases allow users to ignore the security implications, but I don't think that is a reason to avoid this feature. Those users are likely to just blindly add the required arguments anyway, and this feature would provide real value to users who do care by giving them an easy way to see a list of all the packages for which this is an issue. Additionally, users unfamiliar with the security changes will still run into them if this feature is not the default behavior.

Answer 1 · 2014-05-19T11:39:35.000Z

👍 yes I do agree this is a maintenance nightmare

Answer 2 · 2015-09-03T12:01:48.000Z

Looks like it could be closed by #3070