PEP: 650 Title: Specifying Installer Requirements for Python Projects Author: Vikram Jayanthi , Dustin Ingram , Brett Cannon Discussions-To: https://discuss.python.org/t/pep-650-specifying-installer-requirements-for-python-projects/6657 Status: Draft Type: Process Content-Type: text/x-rst Created: 16-Jul-2020 Post-History: 2021-01-14 Abstract ======== Python package installers are not completely interoperable with each other. While pip is the most widely used installer and a de facto standard, other installers such as Poetry_ or Pipenv_ are popular as well due to offering unique features which are optimal for certain workflows and not directly in line with how pip operates. While the abundance of installer options is good for end-users with specific needs, the lack of interoperability between them makes it hard to support all potential installers. Specifically, the lack of a standard requirements file for declaring dependencies means that each tool must be explicitly used in order to install dependencies specified with their respective format. Otherwise tools must emit a requirements file which leads to potential information loss for the installer as well as an added export step as part of a developer's workflow. By providing a standardized API that can be used to invoke a compatible installer, we can solve this problem without needing to resolve individual concerns, unique requirements, and incompatibilities between different installers and their lock files. Installers that implement the specification can be invoked in a uniform way, allowing users to use their installer of choice as if they were invoking it directly. Terminology =========== Installer interface The interface by which an *installer backend* and a *universal installer* interact. Universal installer An installer that can invoke an *installer backend* by calling the optional invocation methods of the *installer interface*. This can also be thought of as the installer frontend, à la the build_ project for :pep:`517`. Installer backend An installer that implements the *installer interface*, allowing it to be invoked by a *universal installer*. An *installer backend* may also be a *universal installer* as well, but it is not required. In comparison to :pep:`517`, this would be Flit_. *Installer backends* may be wrapper packages around a backing installer, e.g. Poetry could choose to not support this API, but a package could act as a wrapper to invoke Poetry as appropriate to use Poetry to perform an installation. Dependency group A set of dependencies that are related and required to be installed simultaneously for some purpose. For example, a "test" dependency group could include the dependencies required to run the test suite. How dependency groups are specified is up to the *installer backend*. Motivation ========== This specification allows anyone to invoke and interact with *installer backends* that implement the specified interface, allowing for a universally supported layer on top of existing tool-specific installation processes. This in turn would enable the use of all installers that implement the specified interface to be used in environments that support a single *universal installer*, as long as that installer implements this specification as well. Below, we identify various use-cases applicable to stakeholders in the Python community and anyone who interacts with Python package installers. For developers or companies, this PEP would allow for increased functionality and flexibility with Python package installers. Providers --------- Providers are the parties (organization, person, community, etc.) that supply a service or software tool which interacts with Python packaging and consequently Python package installers. Two different types of providers are considered: Platform/Infrastructure Providers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Platform providers (cloud environments, application hosting, etc.) and infrastructure service providers need to support package installers for their users to install Python dependencies. Most only support pip, however there is user demand for other Python installers. Most providers do not want to maintain support for more than one installer because of the complexity it adds to their software or service and the resources it takes to do so. Via this specification, we can enable a provider-supported *universal installer* to invoke the user-desired *installer backend* without the provider’s platform needing to have specific knowledge of said backend. What this means is if Poetry implemented the installer backend API proposed by this PEP (or some other package wrapped Poetry to provide the API), then platform providers would support Poetry implicitly. IDE Providers ^^^^^^^^^^^^^ Integrated development environments may interact with Python package installation and management. Most only support pip as a Python package installer, and users are required to find work arounds to install their dependencies using other package installers. Similar to the situation with PaaS & IaaS providers, IDE providers do not want to maintain support for N different Python installers. Instead, implementers of the installer interface (*installer backends*) could be invoked by the IDE by it acting as a *universal installer*. Developers ---------- Developers are teams, people, or communities that code and use Python package installers and Python packages. Three different types of developers are considered: Developers using PaaS & IaaS providers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Most PaaS and IaaS providers only support one Python package installer: pip_. (Some exceptions include Heroku's Python buildpack_, which supports pip and Pipenv_). This dictates the installers that developers can use while working with these providers, which might not be optimal for their application or workflow. Installers adopting this PEP to become *installer backends* would allow users to use third party platforms/infrastructure without having to worry about which Python package installer they are required to use as long as the provider uses a *universal installer*. Developers using IDEs ^^^^^^^^^^^^^^^^^^^^^ Most IDEs only support pip or a few Python package installers. Consequently, developers must use workarounds or hacky methods to install their dependencies if they use an unsupported package installer. If the IDE uses/provides a *universal installer* it would allow for any *installer backend* that the developer wanted to be used to install dependencies, freeing them of any extra work to install their dependencies in order to integrate into the IDE's workflow more closely. Developers working with other developers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Developers want to be able to use the installer of their choice while working with other developers, but currently have to synchronize their installer choice for compatibility of dependency installation. If all preferred installers instead implemented the specified interface, it would allow for cross use of installers, allowing developers to choose an installer regardless of their collaborator’s preference. Upgraders & Package Infrastructure Providers -------------------------------------------- Package upgraders and package infrastructure in CI/CD such as Dependabot_, PyUP_, etc. currently support a few installers. They work by parsing and editing the installer-specific dependency files directly (such as ``requirements.txt`` or ``poetry.lock``) with relevant package information such as upgrades, downgrades, or new hashes. Similar to Platform and IDE providers, most of these providers do not want to support N different Python package installers as that would require supporting N different file types. Currently, these services/bots have to implement support for each package installer individually. Inevitably, the most popular installers are supported first, and less popular tools are often never supported. By implementing this specification, these services/bots can support any (compliant) installer, allowing users to select the tool of their choice. This will allow for more innovation in the space, as platforms and IDEs are no longer forced to prematurely select a "winner". Open Source Community --------------------- Specifying installer requirements and adopting this PEP will reduce the friction between Python package installers and people's workflows. Consequently, it will reduce the friction between Python package installers and 3rd party infrastructure/technologies such as PaaS or IDEs. Overall, it will allow for easier development, deployment and maintenance of Python projects as Python package installation becomes simpler and more interoperable. Specifying requirements and creating an interface for installers can also increase the pace of innovation around installers. This would allow for installers to experiment and add unique functionality without requiring the rest of the ecosystem to do the same. Support becomes easier and more likely for a new installer regardless of the functionality it adds and the format in which it writes dependencies, while reducing the developer time and resources needed to do so. Specification ============= Similar to how :pep:`517` specifies build systems, the install system information will live in the ``pyproject.toml`` file under the ``install-system`` table. [install-system] ---------------- The install-system table is used to store install-system relevant data and information. There are multiple required keys for this table: ``requires`` and ``install-backend``. The ``requires`` key holds the minimum requirements for the *installer backend* to execute and which will be installed by the *universal installer*. The ``install-backend`` key holds the name of the install backend’s entry point. This will allow the *universal installer* to install the requirements for the *installer backend* itself to execute (not the requirements that the *installer backend* itself will install) as well as invoke the *installer backend*. If either of the required keys are missing or empty then the *universal installer* SHOULD raise an error. All package names interacting with this interface are assumed to follow :pep:`508`'s "Dependency specification for Python Software Packages" format. An example ``install-system`` table:: #pyproject.toml [install-system] #Eg : pipenv requires = ["pipenv"] install-backend = "pipenv.api:main" Installer Requirements: ^^^^^^^^^^^^^^^^^^^^^^^ The requirements specified by the ``requires`` key must be within the constraints specified by :pep:`517`. Specifically, that dependency cycles are not permitted and the *universal installer* SHOULD refuse to install the dependencies if a cycle is detected. Additional parameters or tool specific data ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Additional parameters or tool (*installer backend*) data may also be stored in the ``pyproject.toml`` file. This would be in the “tool.*” table as specified by :pep:`518`. For example, if the *installer backend* is Poetry and you wanted to specify multiple dependency groups, the tool.poetry tables could look like this: :: [tool.poetry.dev-dependencies] dependencies = "dev" [tool.poetry.deploy] dependencies = "deploy" Data may also be stored in other ways as the installer backend sees fit (e.g. separate configuration file). Installer interface: -------------------- The *installer interface* contains mandatory and optional hooks. Compliant *installer backends* MUST implement the mandatory hooks and MAY implement the optional hooks. A *universal installer* MAY implement any of the *installer backend* hooks itself, to act as both a *universal installer* and *installer backend*, but this is not required. All hooks take ``**kwargs`` arbitrary parameters that a *installer backend* may require that are not already specified, allowing for backwards compatibility. If unexpected parameters are passed to the *installer backend*, it should ignore them. The following information is akin to the corresponding section in :pep:`517`. The hooks may be called with keyword arguments, so *installer backends* implementing them should be careful to make sure that their signatures match both the order and the names of the arguments above. All hooks MAY print arbitrary informational text to ``stdout`` and ``stderr``. They MUST NOT read from ``stdin``, and the *universal installer* MAY close ``stdin`` before invoking the hooks. The *universal installer* may capture ``stdout`` and/or ``stderr`` from the backend. If the backend detects that an output stream is not a terminal/console (e.g. not ``sys.stdout.isatty()``), it SHOULD ensure that any output it writes to that stream is ``UTF-8`` encoded. The *universal installer* MUST NOT fail if captured output is not valid UTF-8, but it MAY not preserve all the information in that case (e.g. it may decode using the replace error handler in Python). If the output stream is a terminal, the *installer backend* is responsible for presenting its output accurately, as for any program running in a terminal. If a hook raises an exception, or causes the process to terminate, then this indicates an error. Mandatory hooks: ---------------- invoke_install ^^^^^^^^^^^^^^ Installs the dependencies:: def invoke_install( path: Union[str, bytes, PathLike[str]], *, dependency_group: str = None, **kwargs ) -> int: ... * ``path`` : An absolute path where the *installer backend* should be invoked from (e.g. the directory where ``pyproject.toml`` is located). * ``dependency_group`` : An optional flag specifying a dependency group that the *installer backend* should install. The install will error if the dependency group doesn't exist. A user can find all dependency groups by calling ``get_dependency_groups()`` if dependency groups are supported by the *installer backend*. * ``**kwargs`` : Arbitrary parameters that a *installer backend* may require that are not already specified, allows for backwards compatibility. * Returns : An exit code (int). 0 if successful, any positive integer if unsuccessful. The *universal installer* will use the exit code to determine if the installation is successful and SHOULD return the exit code itself. Optional hooks: --------------- invoke_uninstall ^^^^^^^^^^^^^^^^ Uninstall the specified dependencies:: def invoke_uninstall( path: Union[str, bytes, PathLike[str]], *, dependency_group: str = None, **kwargs ) -> int: ... * ``path`` : An absolute path where the *installer backend* should be invoked from (e.g. the directory where ``pyproject.toml`` is located). * ``dependency_group`` : An optional flag specifying a dependency group that the *installer backend* should uninstall. * ``**kwargs`` : Arbitrary parameters that a *installer backend* may require that are not already specified, allows for backwards compatibility. * Returns : An exit code (int). 0 if successful, any positive integer if unsuccessful. The *universal installer* MUST invoke the *installer backend* at the same path that the *universal installer* itself was invoked. The *universal installer* will use the exit code to determine if the uninstall is successful and SHOULD return the exit code itself. get_dependencies_to_install ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Returns the dependencies that would be installed by ``invoke_install(...)``. This allows package upgraders (e.g., Dependabot) to retrieve the dependencies attempting to be installed without parsing the dependency file:: def get_dependencies_to_install( path: Union[str, bytes, PathLike[str]], *, dependency_group: str = None, **kwargs ) -> Sequence[str]: ... * ``path`` : An absolute path where the *installer backend* should be invoked from (e.g. the directory where ``pyproject.toml`` is located). * ``dependency_group`` : Specify a dependency group to get the dependencies ``invoke_install(...)`` would install for that dependency group. * ``**kwargs`` : Arbitrary parameters that a *installer backend* may require that are not already specified, allows for backwards compatibility. * Returns: A list of dependencies (:pep:`508` strings) to install. If the group is specified, the *installer backend* MUST return the dependencies corresponding to the provided dependency group. If the specified group doesn't exist, or dependency groups are not supported by the *installer backend*, the *installer backend* MUST raise an error. If the group is not specified, and the *installer backend* provides the concept of a default/unspecified group, the *installer backend* MAY return the dependencies for the default/unspecified group, but otherwise MUST raise an error. get_dependency_groups ^^^^^^^^^^^^^^^^^^^^^ Returns the dependency groups available to be installed. This allows *universal installers* to enumerate all dependency groups the *installer backend* is aware of:: def get_dependency_groups( path: Union[str, bytes, PathLike[str]], **kwargs ) -> AbstractSet[str]: ... * ``path`` : An absolute path where the *installer backend* should be invoked from (e.g. the directory where ``pyproject.toml`` is located). * ``**kwargs`` : Arbitrary parameters that a *installer backend* may require that are not already specified, allows for backwards compatibility. * Returns: A set of known dependency groups, as strings The empty set represents no dependency groups. update_dependencies ^^^^^^^^^^^^^^^^^^^ Outputs a dependency file based on inputted package list:: def update_dependencies( path: Union[str, bytes, PathLike[str]], dependency_specifiers: Iterable[str], *, dependency_group=None, **kwargs ) -> int: ... * ``path`` : An absolute path where the *installer backend* should be invoked from (e.g. the directory where ``pyproject.toml`` is located). * ``dependency_specifiers`` : An iterable of dependencies as :pep:`508` strings that are being updated, for example : ``["requests==2.8.1", ...]``. Optionally for a specific dependency group. * ``dependency_group`` : The dependency group that the list of packages is for. * ``**kwargs`` : Arbitrary parameters that a *installer backend* may require that are not already specified, allows for backwards compatibility. * Returns : An exit code (int). 0 if successful, any positive integer if unsuccessful. Example ======= Let's consider implementing an *installer backend* that uses pip and its requirements files for *dependency groups*. An implementation may (very roughly) look like the following:: import subprocess import sys def invoke_install(path, *, dependency_group=None, **kwargs): try: return subprocess.run( [ sys.executable, "-m", "pip", "install", "-r", dependency_group or "requirements.txt", ], cwd=path, ).returncode except subprocess.CalledProcessError as e: return e.returncode If we named this package ``pep650pip``, then we could specify in ``pyproject.toml``:: [install-system] #Eg : pipenv requires = ["pep650pip", "pip"] install-backend = "pep650pip:main" Rationale ========= All hooks take ``**kwargs`` to allow for backwards compatibility and allow for tool specific *installer backend* functionality which requires a user to provide additional information not required by the hook. While *installer backends* must be Python packages, what they do when invoked is an implementation detail of that tool. For example, an *installer backend* could act as a wrapper for a platform package manager (e.g., ``apt``). The interface does not in any way try to specify *how* *installer backends* should function. This is on purpose so that *installer backends* can be allowed to innovate and solve problem in their own way. This also means this PEP takes no stance on OS packaging as that would be an *installer backend*'s domain. Defining the API in Python does mean that *some* Python code will eventually need to be executed. That does not preclude non-Python *installer backends* from being used, though (e.g. mamba_), as they could be executed as a subprocess from Python code. Backwards Compatibility ======================= This PEP would have no impact on pre-existing code and functionality as it only adds new functionality to a *universal installer*. Any existing installer should maintain its existing functionality and use cases, therefore having no backwards compatibility issues. Only code aiming to take advantage of this new functionality will have motivation to make changes to their pre existing code. Security Implications ===================== A malicious user has no increased ability or easier access to anything with the addition of standardized installer specifications. The installer that could be invoked by a *universal installer* via the interface specified in this PEP would be explicitly declared by the user. If the user has chosen a malicious installer, then invoking it with a *universal installer* is no different than the user invoking the installer directly. A malicious installer being an *installer backend* doesn't give it additional permissions or abilities. Rejected Ideas ============== A standardized lock file ------------------------ A standardized lock file would solve a lot of the same problems that specifying installer requirements would. For example, it would allow for PaaS/IaaS to just support one installer that could read the standardized lock file regardless of the installer that created it. The problem with a standardized lock file is the difference in needs between Python package installers as well as a fundamental issue with creating reproducible environments via the lockfile (one of the main benefits). Needs and information stored in dependency files between installers differ significantly and are dependent on installer functionality. For example, a Python package installer such as Poetry requires information for all Python versions and platforms and calculates appropriate hashes while pip doesn't. Additionally, pip would not be able to guarantee recreating the same environment (install the exact same dependencies) as it is outside the scope of its functionality. This makes a standardized lock file harder to implement and makes it seem more appropriate to make lock files tool specific. Have installer backends support creating virtual environments ------------------------------------------------------------- Because *installer backends* will very likely have a concept of virtual environments and how to install into them, it was briefly considered to have them also support creating virtual environments. In the end, though, it was considered an orthogonal idea. Open Issues =========== Should the ``dependency_group`` argument take an iterable? ---------------------------------------------------------- This would allow for specifying non-overlapping dependency groups in a single call, e.g. "docs" and "test" groups which have independent dependencies but which a developer may want to install simultaneously while doing development. Is the installer backend executed in-process? --------------------------------------------- If the *installer backend* is executed in-process then it greatly simplifies knowing what environment to install for/into, as the live Python environment can be queried for appropriate information. Executing out-of-process allows for minimizing potential issues of clashes between the environment being installed into and the *installer backend* (and potentially *universal installer*). Enforce that results from the proposed interface feed into other parts? ----------------------------------------------------------------------- E.g. the results from ``get_dependencies_to_install()`` and ``get_dependency_groups()`` can be passed into ``invoke_install()``. This would prevent drift between the results of various parts of the proposed interface, but it makes more of the interface required instead of optional. Raising exceptions instead of exit codes for failure conditions --------------------------------------------------------------- It has been suggested that instead of returning an exit code the API should raise exceptions. If you view this PEP as helping to translate current installers into *installer backends*, then relying on exit codes makes sense. There's is also the point that the APIs have no specific return value, so passing along an exit code does not interfere with what the functions return. Compare that to raising exceptions in case of an error. That could potentially provide a more structured approach to error raising, although to be able to capture errors it would require specifying exception types as part of the interface. References ========== .. _build: https://github.com/pypa/build .. _Buildpack: https://elements.heroku.com/buildpacks/heroku/heroku-buildpack-python .. _Dependabot: https://dependabot.com/ .. _Flit: https://flit.readthedocs.io .. _mamba: https://github.com/mamba-org/mamba .. _pip: https://pip.pypa.io .. _Pipenv: https://pipenv-fork.readthedocs.io/en/latest/ .. _Poetry: https://python-poetry.org/ .. _PyUP: https://pyup.io/ Copyright ========= This document is placed in the public domain or under the CC0-1.0-Universal license, whichever is more permissive. .. Local Variables: mode: indented-text indent-tabs-mode: nil sentence-end-double-space: t fill-column: 70 coding: utf-8 End: