From 4b638f9ddd87787fdafff7653c21915836db2089 Mon Sep 17 00:00:00 2001 From: Richard Jones Date: Tue, 9 Jul 2013 11:20:06 +1000 Subject: [PATCH] remove setuptools note; setuptools will now be installed mention bootstrapping target and command-line options mention python 2.6+ bootstrap possibility --- pep-0439.txt | 102 +++++++++++++++++++++++++-------------------------- 1 file changed, 49 insertions(+), 53 deletions(-) diff --git a/pep-0439.txt b/pep-0439.txt index 44ab3e213..ceef7b24c 100644 --- a/pep-0439.txt +++ b/pep-0439.txt @@ -54,9 +54,12 @@ beyond requiring Python installation upgrades. Proposal ======== -This proposal affects three components of packaging: `the pip bootstrap`_, -`setuptools`_ and, thanks to easier package installation, `modifications to -publishing packages`_. +This proposal affects two components of packaging: `the pip bootstrap`_ and, +thanks to easier package installation, `modifications to publishing +packages`_. + +The core of this proposal is that the user experience of using pip should not +require the user to install pip. The pip bootstrap @@ -65,9 +68,11 @@ The pip bootstrap The Python installation includes an executable called "pip3" (see PEP 394 for naming rationale etc.) that attempts to import pip machinery. If it can then the pip command proceeds as normal. If it cannot it will bootstrap pip by -downloading the pip implementation wheel file. Once installed, the pip -command proceeds as normal. Once the bootstrap process is complete the "pip3" -command is no longer the bootstrap but rather the full pip command. +downloading the pip implementation and setuptools wheel files. Hereafter the +installation of the "pip implementation" will imply installation of +setuptools. Once installed, the pip command proceeds as normal. Once the +bootstrap process is complete the "pip3" command is no longer the bootstrap +but rather the full pip command. A boostrap is used in the place of a the full pip code so that we don't have to bundle pip and also pip is upgradeable outside of the regular Python @@ -89,15 +94,16 @@ The bootstrap process will proceed as follows: 2. The user will invoke a pip command, typically "pip3 install ", for example "pip3 install Django". 3. The boostrap script will attempt to import the pip implementation. - If this succeeds, the pip command is processed normally. + If this succeeds, the pip command is processed normally. Stop. 4. On failing to import the pip implementation the bootstrap notifies - the user that it is "upgrading pip" and contacts PyPI to obtain the - latest download wheel file (see PEP 427.) -5. Upon downloading the file it is installed using the distlib - installation machinery for wheel packages. Upon completing the - installation the user is notified that "pip3 has been upgraded." - TODO how is it verified? -6. The pip tool may now import the pip implementation and continues to + the user that it needs to "install pip". It will ask the user whether it + should install pip as a system-wide site-packages or as a user-only + package. This choice will also be present as a command-line option to pip + so non-interactive use is possible. +5. The bootstrap will and contact PyPI to obtain the latest download wheel + file (see PEP 427.) +6. Upon downloading the file it is installed using "python setup.py install". +7. The pip tool may now import the pip implementation and continues to process the requested user command normally. Users may be running in an environment which cannot access the public @@ -109,7 +115,7 @@ would use the "-i" (Base URL of Python Package Index) argument to the additional locations to discover packages and attempting to download the package from those locations. 2. If the package is not found there then we attempt to donwload it - using the standard "https://pypi.python.org/pypi/simple/pip" index. + using the standard "https://pypi.python.org/simple/pip/" index. 3. If that also fails, for any reason, we indicate to the user the operation we were attempting, the reason for failure (if we know it) and display further instructions for downloading and installing @@ -118,52 +124,33 @@ would use the "-i" (Base URL of Python Package Index) argument to the Some users may have no Internet access suitable for fetching the pip implementation file. Manual installation of the pip implementation will be supported through the manual download of the wheel file and "pip3 install -". This installation - since it uses only the bootstrap -code - will not perform standard pip installation steps of saving the file to -a cache directory or updating any local database of installed files. +". -The download of the pip implementation install file should be performed -securely. The transport from pypi.python.org will be done over HTTPS but the CA -certificate check will most likely not be performed, and therefore the download -would still be vulnerable to active MITM attacks. To mitigate this -risk we will use the embedded signature support in the wheel format to validate -the downloaded file. +The download of the pip implementation install file will be performed +securely. The transport from pypi.python.org will be done over HTTPS with the +CA certificate check performed (see PEP XXXX). Beyond those arguments controlling index location and download options, the "pip3" boostrap command may support further standard pip options for verbosity, quietness and logging. +The "pip3" command will support two new command-line options that are used +in the boostrapping, and otherwise ignored. They control where the pip +implementation is installed: + +--bootstrap + Install to the user's packages directory. The name of this option is chosen + to promote it as the preferred installation option. + +--bootstrap-to-system + Install to the system site-packages directory. + +These command-line options will also need to be implemented, but otherwise +ignored, in the pip implementation. + The "--no-install" option to the "pip3" command will not affect the bootstrapping process. -setuptools ----------- - -The deprecation of requiring setuptools for installation is an existing goal of -the packaging comminity (TODO ref needed). Currently pip depends upon setuptools -functionality, and it is installed by the current pip boostrap. This PEP does -not propose installing setuptools during the new bootstrap. - -It is intended that before Python 3.4 is shipped the functionlity required by -pip will be present in Python's standard library as the distlib module, and that -pip would be modified to use that functionality when present. TODO PEP reference -for distlib - -Many existing "setup.py" files require setuptools to be installed (because one -of the first things they do is import setuptools). It is intended that pip's -behaviour will be either: - -1. If setuptools is not present it can only install from wheel files and - sdists with 2.0+ metadata, or -2. If setuptools is present it can also install from sdists with legacy - metadata and eggs - -By default, installing setuptools when necessary should be automatic so that -users are not inconvenienced, but advanced users should be able to ask that it -instead be treated as an error if no wheel is available to satisfy an -installation request or dependency (so they don't inadvertently install -setuptools on their production systems if they don't want to). - Modifications to publishing packages ------------------------------------ @@ -189,7 +176,16 @@ Implementation ============== The changes to pip required by this PEP are being tracked in that project's -issue tracker [2]_ +issue tracker [2]_. Most notably, the addition of --bootstrap and --bootstrap- +to-system to the pip command-line. + +The required code for this implementation is the "pip3" command described +above. The additional pypublish can be developed outside of the scope of this +PEP's work. + +Finally, it would be desirable that "pip3" be ported to Python 2.6+ to allow +the single command to replace all existing pip/setuptools/distribute and +possibly virtualenv bootstrap scripts. Risks