Warn users that `pip download` can run arbitrary code

[decorator-factory]

What's the problem this feature will solve?

I've been using pip for many years now, but I didn't realize that pip download runs setup.py containing arbitrary code (until someone explicitly told me).

I think the name download implies that you're just moving bits from one computer to another (like downloading a file using the browser). If you know how Python packaging works in detail, it's clear that this has to run setup.py, but it's not obvious to everyone.

Describe the solution you'd like

1. Add a note to pip download --help, https://pip.pypa.io/en/stable/cli/pip_download/ and other "official" documentation for pip download. This will raise awareness of this command being potentially dangerous.

2. On the online documentation page, provide a recipe for just downloading the source. I was only able to find an old thread that is now outdated and doesn't provide a solution. Maybe downloading the wheel from the PyPI website might be good direction?

Additional context

Example on StackOverflow (2018): https://stackoverflow.com/questions/52486985/pip-download-without-executing-setup-py

https://discuss.python.org/t/pip-download-just-the-source-packages-no-building-no-metadata-etc/465

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[flying-sheep]

As @uranusjr said:

There are --binary-only and/or --no-deps if that’s what you want

Those two flags could be mentioned in the warning as ways to avoid executing code.

[decorator-factory]

Would that not be affected by #1884 ?
Or is that issue not relevant anymore?

[uranusjr]

#1884 only helps if you pass --no-deps, but without the flag pip download always needs to run the build backend.