Improve feedback when there are missing dependencies

[erikrose]

Chris Calloway says...

Here's what I got on Win7/64 with Python 2.7.5 via Anaconda: I did a dummy requirements file with with my favorite dummy packages: pep8, pyflakes, and pylint, to peep into a virtualenv (or rather, a conda env). Without the sha256 lines, it worked as expected ("Not proceeding to installation"). With the proper sha256 lines, it appeared to install everything. But because of the implicit --no-deps, pylint's dependencies were not installed silently and i'm left with a broken pylint. Yeah, that doesn't let unverified dependencies through. But it's probably not a great default behavior, either. One of pip's great advances over easy_install was that it not only figured out all of the nested dependencies like easy_install, but it also made sure to download them all first before attempting to install anything. A more consistent behavoir might be to raise the "Not proceeding to installation" exception for unverified deps.

Maybe we could run pip --download without --no-deps and then freak out if there are things in the download folder we didn't explicitly ask for. (Or maybe there's a way to do it without network IO (but that's less important, because it's valuable to verify the hashes anyway).) When we run pip install, we can include --no-deps but install only the requirements that appear by name in the reqs file.