The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Feature #8933

Package Provider: pip - allow installation from URL

Added by Jeremy Orem over 4 years ago. Updated over 4 years ago.

Status:In Topic Branch Pending ReviewStart date:08/11/2011
Priority:NormalDue date:
Assignee:Jeremy Orem% Done:


Target version:-
Affected Puppet version:2.7.1 Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:


Right now there isn’t a good way to install a pip package from source. I want to be able to do something like this:

package {
        ensure => 'present',
        source => '',
        provider => 'pip';

I’ve attached a patch which allows specifying a package URL in source.

pip.patch Magnifier - PATCH: Adds requested feature. (962 Bytes) Jeremy Orem, 08/11/2011 11:53 am

Related issues

Related to Puppet - Feature #18029: Install Options for PIP package provider (incl. patch) Code Insufficient


#1 Updated by James Turnbull over 4 years ago

  • Status changed from Unreviewed to Requires CLA to be signed
  • Assignee set to Jeremy Orem
  • Affected Puppet version changed from development to 2.7.1

Hi Jeremy! Thanks for your patch. Could I please get you to sign a CLA (see the Contributor License Agreement link in the top menu) and have a quick look at our link?

Thanks again!

#2 Updated by Jeremy Orem over 4 years ago

Thanks for the quick response.

I have:

  • Agreed to the CLA
  • Wrote an rspec test
  • Run rake mail_patches
  • Pushed patch to my fork:

#3 Updated by James Turnbull over 4 years ago

  • Status changed from Requires CLA to be signed to In Topic Branch Pending Review

#4 Updated by Joe Stevensen over 4 years ago

Question, how do you plan to validate the file you’re hoping to get in the url? MD5/SHA1? GPG signature? Seems dangerous to allow puppet to grab a tar.gz file off the internet.

#5 Updated by Jeremy Orem over 4 years ago

Right now it is possible to install an rpm from a url without any validation e.g.,

    source => '',
    provider => 'rpm',
    ensure => present;

If it isn’t a concern for the rpm provider do we need to be concerned about it for the pip provider?

#6 Updated by Joe Stevensen over 4 years ago

So you can put an rpm in a url and puppet will just grab it and install it too? Why would you want this? I don’t understand why you want the ability to deploy arbitrary software without verifying it first. You can really shoot yourself in the foot here.

Also available in: Atom PDF