“allow-hosts” in buildout considered harmful

Today we had the following error message when re-installing a project from scratch:

 While:
   Installing.
   Getting section application.
   Initializing section application.
   Installing recipe zc.zope3recipes.
   Getting distribution for 'zc.zope3recipes==0.13.0'.
 Error: Couldn't find a distribution for 'zc.zope3recipes==0.13.0'.

Yes this is a really old recipe but it still exists on PyPI. We are using zc.buildout in Version 2.10, and do not use a custom index. So being forced to use HTTPS to access PyPI does not seem be the problem.

After searching way too long we found that .buildout/default.cfg contains the following statement:

allow-hosts =
   *.python.org
   *.gocept.com
   *.gocept.net
   effbot.org
   dist.plone.org

It restricts the allowed hosts for download but it seems to restrict the index, too. https://pypi.python.org/simple nowadays redirects to https://pypi.org/simple which is not on the list.

Suggestion: Remove allow-hosts if possible. It is more harmful than good, especially because packages are nowadays downloaded from https://files.pythonhosted.org.

UPDATE:

I filed an issue for zc.buildout at GitHub: buildout/buildout#447

Author: Michael Howitz

I am a software developer at gocept in Halle (Saale). To develop software, I mainly use Python, Zope, ZTK and Django.

3 thoughts on ““allow-hosts” in buildout considered harmful”

  1. The worst part is no matter how many -v options you pass to buildout, it will not tell you it’s discarding the pypi.org link because of your allow-hosts setting.

    1. Right, this was the tricky part, which I forgot to mention. Thank you for adding it.

Leave a Reply

%d bloggers like this: