From 92d4dbf0ec27efa86143fbaf8a3edb0f6af72891 Mon Sep 17 00:00:00 2001 From: Nick Coghlan Date: Tue, 15 Oct 2013 22:33:12 +1000 Subject: [PATCH] Add pip integration timeline to PEP 453 - timeline based on discussion with the 3.4 release team and the pip devs - also clarified the two trust models on offer (i.e. that the PEP ensures trusting PyPI remains explicitly opt-in, just as it has always been in the past) --- pep-0453.txt | 44 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/pep-0453.txt b/pep-0453.txt index 3d41f44ec..28476b653 100644 --- a/pep-0453.txt +++ b/pep-0453.txt @@ -331,8 +331,8 @@ Security considerations ----------------------- The design in this PEP has been deliberately chosen to avoid making any -significant changes to the trust model of the CPython installers for end -users that do not subsequently make use of ``pip``. +significant changes to the trust model of CPython for end users that do +not subsequently run the command ``pip install --upgrade pip``. The installers will contain all the components of a fully functioning version of Python, including the ``pip`` installer. The installation @@ -340,8 +340,9 @@ process will *not* require network access, and will *not* rely on trusting the security of the network connection established between ``pip`` and the Python package index. -Only users that choose to use ``pip`` directly will need to pay -attention to any PyPI related security considerations. +Only users that choose to use ``pip`` to communicate with PyPI will +need to pay attention to the additional security considerations that come +with doing so. Reliability considerations @@ -401,6 +402,41 @@ can be carried out in any order): updated for Python 3.4+ +Integration timeline +-------------------- + +Allowing ``pip`` to be bundled with CPython as a wheel file requires some +adjustments to ``pip`` itself, so the proposed time frame for integration +into CPython if this PEP is accepted is as follows: + +* by November 17th (1 week prior to the scheduled date of 3.4.0 beta 1) + + Documentation updated and ``ensurepip`` implemented based on a beta release + of ``pip`` 1.5. + +* by November 24th (scheduled date of 3.4.0 beta 1) + + All other proposed functional changes for Python 3.4 implemented, + including the installer updates to invoke ensurepip. + +* by December 29th (1 week prior to the scheduled date of 3.4.0 beta 2) + + ``ensurepip`` updated to the final release of pip 1.5 + + PEP 101 updated to cover ensuring the bundled version of ``pip`` is up + to date. + +(See PEP 429 for the current official scheduled dates of each release. Dates +listed above are accurate as of October 15th.) + +If there is no final release of ``pip`` 1.5 available the week before the +scheduled Python 3.4 beta 2 release, then implementation of this PEP will +be deferred to Python 3.5. Note that this scenario is unlikely - the final +``pip`` 1.5 release could likely be ready for beta 1. However, it makes +sense to defer the final release until after the ``ensurepip`` bootstrapping +has seen some testing in a CPython beta release. + + Proposed CLI ------------