Dependency on Behave blocks release on PyPI

[bittner]

Older versions of behave-django were somewhat independent of the version of Behave you were installing and running yourself. Specifically, it was possible to either install Behave off PyPI (latest release, February 2018) or pull a more recent state from GitHub. At user's discretion.

behave-django can't depend on stable behave anymore

Unfortunately, this is no longer the case with the current state of behave-django (on GitHub). Behave now has desirable features (e.g. TOML support) only on GitHub, and behave-django now attaches to Behave in a way that requires at least v1.2.7.dev4. See also #147 for a related example.

Luckily, Python packaging allows to specify dependencies in a way that users don't need to worry about those facts, and installation off GitHub is handled transparently. A newer or older version of Behave, installed beforehand, will be uninstalled, though.

Some organisations block installing software off GitHub

Note that this would in future only work if your environment, your network doesn't restrict pulling Python packages in from GitHub. Probably all larger institutions run a dependency proxy (e.g. Nexus or Artifactory), which both caches resources pulled off the Internet and allows to scan for vulnerabilities, e.g. to detect and contain supply chain attacks.

It comes naturally to understand that sensitive industries (e.g. finance, insurance) are reluctant to allow developers to freely install resources that don't come from "official resources".

Releasing to PyPI now would make things worse

The current version 1.4.0 of behave-django depends on the latest stable Behave from PyPI. This means, it can easily be installed in a situation described above. Needless to say that it doesn't have TOML support (hence won't read configuration from pyproject.toml) and other goodies.

If we released a new version on PyPI in the current state, depending on Behave off GitHub (!), this version would only be able to be installed in free, unrestricted networks. Banks, insurance companies, and other large corporate bodies would stop using Behave. Yes, this doesn't affect everyone, especially not "modern" environments. But it would make for bad marketing.

EDIT: As of pypa/pip#6301 (comment) direct URLs are not meant to be used to define dependencies by software released on PyPI (as of PEP 440 and PEP 508) and are hence blocked by PyPI, as reported by one of our users. It will hence be impossible to install behave-django if it were released on PyPI, as of today.

behave-django must depend on a stable version again

To cut the story short, a (stable) release of Behave on PyPI is desperately needed.

We need a release of Behave on PyPI. Please! 🙏