python-s2-protocol cannot be an external dependency #46
Description
At the moment of releasing, we realized that PyPi doesn't allow to have external dependencies (i.e. they need to be from inside PyPi), see error trace below.
Some users experienced this as well and even have proposed PyPi to allow for external dependencies but, for security reasons, they have declined the proposal. Apparently, someone could inject malicious code into the users of the flexmeasures-client pushing code to the dependency.
I though that using a requirements.txt would bypass this but It wouldn't because in the end PyPI checks install_requires.
Given that python-s2-protocol is not the definitive library, I would prioritize to integrate the library that we are developing with TNO.
Notice: Attempting to perform trusted publishing exchange to retrieve a temporary short-lived API token for authentication against https://upload.pypi.org/legacy/ due to __token__ username with no supplied password field
Checking dist/flexmeasures_client-0.1.2-py3-none-any.whl: PASSED
Checking dist/flexmeasures-client-0.1.2.tar.gz: PASSED
Uploading distributions to https://upload.pypi.org/legacy/
Uploading flexmeasures_client-0.1.2-py3-none-any.whl
25l
0% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.0/37.4 kB • --:-- • ?
0% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.0/37.4 kB • --:-- • ?
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 37.4/37.4 kB • 00:00 • 56.5 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 37.4/37.4 kB • 00:00 • 56.5 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 37.4/37.4 kB • 00:00 • 56.5 MB/s
25hWARNING Error during upload. Retry with the --verbose option for more details.
ERROR HTTPError: 400 Bad Request from https://upload.pypi.org/legacy/
Invalid value for requires_dist. Error: Can't have direct dependency:
'python-s2-protocol @
git+https://git@github.com/SeitaBV/python-s2-protocol.git'