1073 lines
49 KiB
Plaintext
1073 lines
49 KiB
Plaintext
PEP: 453
|
||
Title: Explicit bootstrapping of pip in Python installations
|
||
Version: $Revision$
|
||
Last-Modified: $Date$
|
||
Author: Donald Stufft <donald@stufft.io>,
|
||
Nick Coghlan <ncoghlan@gmail.com>
|
||
BDFL-Delegate: Martin von Löwis
|
||
Status: Accepted
|
||
Type: Process
|
||
Content-Type: text/x-rst
|
||
Created: 10-Aug-2013
|
||
Post-History: 30-Aug-2013, 15-Sep-2013, 18-Sep-2013, 19-Sep-2013,
|
||
23-Sep-2013, 29-Sep-2013, 13-Oct-2013, 20-Oct-2013
|
||
Resolution: https://mail.python.org/pipermail/python-dev/2013-October/129810.html
|
||
|
||
|
||
Abstract
|
||
========
|
||
|
||
This PEP proposes that the
|
||
`Installing Python Modules <http://docs.python.org/3/install>`__ guide in
|
||
Python 2.7, 3.3 and 3.4 be updated to officially recommend the use of ``pip``
|
||
as the default installer for Python packages, and that appropriate technical
|
||
changes be made in Python 3.4 to provide ``pip`` by default in support of
|
||
that recommendation.
|
||
|
||
|
||
PEP Acceptance
|
||
==============
|
||
|
||
This PEP was accepted for inclusion in Python 3.4 by Martin von Löwis on
|
||
Tuesday 22nd October, 2013.
|
||
|
||
`Issue 19347 <http://bugs.python.org/issue19347>`__ has been created to
|
||
track the implementation of this PEP.
|
||
|
||
|
||
Rationale
|
||
=========
|
||
|
||
There are two related, but distinct rationales for the proposal in this
|
||
PEP. The first relates to the experience of new users, while the second
|
||
relates to better enabling the evolution of the broader Python packaging
|
||
ecosystem.
|
||
|
||
|
||
Improving the new user experience
|
||
---------------------------------
|
||
|
||
Currently, on systems without a platform package manager and repository,
|
||
installing a third-party Python package into a freshly installed Python
|
||
requires first identifying an appropriate package manager and then
|
||
installing it.
|
||
|
||
Even on systems that *do* have a platform package manager, it is unlikely to
|
||
include every package that is available on the Python Package Index, and
|
||
even when a desired third-party package is available, the correct name in
|
||
the platform package manager may not be clear.
|
||
|
||
This means that, to work effectively with the Python Package Index
|
||
ecosystem, users must know which package manager to install, where to get
|
||
it, and how to install it. The effect of this is that third-party Python
|
||
projects are currently required to choose from a variety of undesirable
|
||
alternatives:
|
||
|
||
* Assume the user already has a suitable cross-platform package manager
|
||
installed.
|
||
* Duplicate the instructions and tell their users how to install the
|
||
package manager.
|
||
* Completely forgo the use of dependencies to ease installation concerns
|
||
for their users.
|
||
|
||
All of these available options have significant drawbacks.
|
||
|
||
If a project simply assumes a user already has the tooling then beginning
|
||
users may get a confusing error message when the installation command
|
||
doesn't work. Some operating systems may ease this pain by providing a
|
||
global hook that looks for commands that don't exist and suggest an OS
|
||
package they can install to make the command work, but that only works
|
||
on systems with platform package managers that include a package that
|
||
provides the relevant cross-platform installer command (such as many major
|
||
Linux distributions). No such assistance is available for Windows and
|
||
Mac OS X users, or more conservative Linux distributions. The challenges
|
||
of dealing with this problem for beginners (who are often also completely
|
||
new to programming, the use of command line tools and editing system
|
||
environment variables) are a regular feature of feedback the core Python
|
||
developers receive from professional educators and others introducing new
|
||
users to Python.
|
||
|
||
If a project chooses to duplicate the installation instructions and tell
|
||
their users how to install the package manager before telling them how to
|
||
install their own project then whenever these instructions need updates
|
||
they need updating by every project that has duplicated them. This is
|
||
particular problematic when there are multiple competing installation
|
||
tools available, and different projects recommend different tools.
|
||
|
||
This specific problem can be partially alleviated by strongly promoting
|
||
``pip`` as the default installer and recommending that other projects
|
||
reference `pip's own bootstrapping instructions
|
||
<http://www.pip-installer.org/en/latest/installing.html>`__ rather than
|
||
duplicating them. However the user experience created by this approach
|
||
still isn't particularly good (although there is an effort under way to
|
||
create a combined Windows installer for ``pip`` and its dependencies that
|
||
should improve matters on that platform, and Mac OS X and \*nix platforms
|
||
generally have ``wget`` and hence the ability to easily download and run the
|
||
bootstrap scripts from the command line).
|
||
|
||
The projects that have decided to forgo dependencies altogether are forced
|
||
to either duplicate the efforts of other projects by inventing their own
|
||
solutions to problems or are required to simply include the other projects
|
||
in their own source trees. Both of these options present their own problems
|
||
either in duplicating maintenance work across the ecosystem or potentially
|
||
leaving users vulnerable to security issues because the included code or
|
||
duplicated efforts are not automatically updated when upstream releases a new
|
||
version.
|
||
|
||
By officially recommending and providing by default a specific cross-platform
|
||
package manager it will be easier for users trying to install these
|
||
third-party packages as well as easier for the people distributing them as
|
||
they should now be able to safely assume that most users will have the
|
||
appropriate installation tools available (or access to clear instructions on
|
||
how to obtain them). This is expected to become more important in the future
|
||
as the Wheel_ package format (deliberately) does not have a built in
|
||
"installer" in the form of ``setup.py`` so users wishing to install
|
||
from a wheel file will want an installer even in the simplest cases.
|
||
|
||
Reducing the burden of actually installing a third-party package should
|
||
also decrease the pressure to add every useful module to the standard
|
||
library. This will allow additions to the standard library to focus more
|
||
on why Python should have a particular tool out of the box, and why it
|
||
is reasonable for that package to adopt the standard library's 18-24 month
|
||
feature release cycle, instead of using the general difficulty of installing
|
||
third-party packages as justification for inclusion.
|
||
|
||
Providing a standard installation system also helps with bootstrapping
|
||
alternate build and installer systems, such as ``setuptools``,
|
||
``zc.buildout`` and the ``hashdist``/``conda`` combination that is aimed
|
||
specifically at the scientific community. So long as
|
||
``pip install <tool>`` works, then a standard Python-specific installer
|
||
provides a reasonably secure, cross platform mechanism to get access to
|
||
these utilities.
|
||
|
||
|
||
Enabling the evolution of the broader Python packaging ecosystem
|
||
----------------------------------------------------------------
|
||
|
||
As no new packaging standard can achieve widespread adoption without a
|
||
transition strategy that covers the versions of Python that are in
|
||
widespread *current* use (rather than merely future versions, like most
|
||
language features), the change proposed in this PEP is considered a
|
||
necessary step in the evolution of the Python packaging ecosystem
|
||
|
||
The broader community has embraced the Python Package Index as a mechanism
|
||
for distributing and installing Python software, but the different concerns
|
||
of language evolution and secure software distribution mean that a faster
|
||
feature release cycle that encompasses older versions is needed to properly
|
||
support the latter.
|
||
|
||
In addition, the core CPython development team have the luxury of
|
||
dropping support for earlier Python versions well before the rest of the
|
||
community, as downstream commercial redistributors pick up the task of
|
||
providing support for those versions to users that still need it, while
|
||
many third party libraries maintain compatibility with those versions as
|
||
long as they remain in widespread use.
|
||
|
||
This means that the current ``setup.py install`` based model for package
|
||
installation poses serious difficulties for the development and adoption
|
||
of new packaging standards, as, depending on how a project writes their
|
||
``setup.py`` file, the installation command (along with other operations)
|
||
may end up invoking the standard library's ``distutils`` package.
|
||
|
||
As an indicator of how this may cause problems for the broader ecosystem,
|
||
consider that the feature set of ``distutils`` in Python 2.6 was frozen
|
||
in June 2008 (with the release of Python 2.6b1), while the feature set of
|
||
``distutils`` in Python 2.7 was frozen in April 2010 (with the release of
|
||
Python 2.7b1).
|
||
|
||
By contrast, using a separate installer application like ``pip`` (which
|
||
ensures that even ``setup.py`` files that invoke ``distutils`` directly
|
||
still support the new packaging standards) makes it possible to support
|
||
new packaging standards in older versions of Python, just by upgrading
|
||
``pip`` (which receives new feature releases roughly every 6 months). The
|
||
situation on older versions of Python is further improved by making it
|
||
easier for end users to install and upgrade newer build systems like
|
||
``setuptools`` or improved PyPI upload utilities like ``twine``.
|
||
|
||
It is not coincidental that this proposed model of using a separate installer
|
||
program with more metadata heavy and less active distribution formats matches
|
||
that used by most operating systems (including Windows since the introduction
|
||
of the installer service and the MSI file format), as well as many other
|
||
language specific installers.
|
||
|
||
For Python 2.6, this compatibility issue is largely limited to various
|
||
enterprise Linux distributions (and their downstream derivatives). These
|
||
distributions often have even slower update cycles than CPython, so they
|
||
offer full support for versions of Python that are considered "security
|
||
fix only" versions upstream (and sometimes may even be to the point where
|
||
the core development team no longer support them at all - you can still get
|
||
commercial support for Python 2.3 if you really need it!).
|
||
|
||
In practice, the fact that tools like ``wget`` and ``curl`` are readily
|
||
available on Linux systems, that most users of Python on Linux are
|
||
already familiar with the command line, and that most Linux distributions
|
||
ship with a default configuration that makes running Python scripts easy,
|
||
means that the existing ``pip`` bootstrapping instructions for any \*nix
|
||
system are already quite straightforward. Even if ``pip`` isn't provided by
|
||
the system package manager, then using ``wget`` or ``curl`` to retrieve the
|
||
bootstrap script from www.pip-installer.org and then running it is just a
|
||
couple of shell commands that can easily be copied and pasted as necessary.
|
||
|
||
Accordingly, for any version of Python on any \*nix system, the need to
|
||
bootstrap ``pip`` in older versions isn't considered a major barrier to
|
||
adoption of new packaging standards, since it's just one more small
|
||
speedbump encountered by users of these long term stable releases. For
|
||
\*nix systems, this PEP's formal endorsement of ``pip`` as the preferred
|
||
default packaging tool is seen as more important than the underlying
|
||
technical details involved in making ``pip`` available by default, since
|
||
it shifts the nature of the conversation between the developers of ``pip``
|
||
and downstream repackagers of both ``pip`` and CPython.
|
||
|
||
For Python 2.7, on the other hand, the compatibility issue for adopting new
|
||
metadata standards is far more widespread, as it affects the python.org
|
||
binary installers for Windows and Mac OS X, as well as even relatively
|
||
fast moving \*nix platforms.
|
||
|
||
Firstly, and unlike Python 2.6, Python 2.7 is still a fully supported
|
||
upstream version, and will remain so until the release of Python 2.7.9
|
||
(currently scheduled for May 2015), at which time it is expected to enter
|
||
the usual "security fix only" mode. That means there are at least another
|
||
19 months where Python 2.7 is a deployment target for Python applications
|
||
that enjoys full upstream support. Even after the core development team
|
||
switches 2.7 to security release only mode in 2015, Python 2.7 will likely
|
||
remain a commercially supported legacy target out beyond 2020.
|
||
|
||
While Python 3 already presents a compelling alternative over Python 2 for
|
||
*new* Python applications and deployments without an existing investment
|
||
in Python 2 and without a dependency on specific Python 2 only third party
|
||
modules (a set which is getting ever smaller over time), it is going to take
|
||
longer to create compelling business cases to update existing Python 2.7
|
||
based infrastructure to Python 3, especially in situations where the culture
|
||
of automated testing is weak (or nonexistent), making it difficult to
|
||
effectively use the available migration utilities.
|
||
|
||
While this PEP only proposes documentation changes for Python 2.7, once
|
||
``pip`` has a Windows installer available, a separate PEP will be created
|
||
and submitted proposing the creation and distribution of aggregate installers
|
||
for future CPython 2.7 maintenance releases that combine the CPython,
|
||
``pip`` and Python Launcher for Windows installers into a single download
|
||
(the separate downloads would still remain available - the aggregate
|
||
installers would be provided as a convenience, and as a clear indication
|
||
of the recommended operating environment for Python in Windows systems).
|
||
|
||
|
||
Why pip?
|
||
--------
|
||
|
||
``pip`` has been chosen as the preferred default installer, as it is an
|
||
already popular tool that addresses several design and user experience
|
||
issues with its predecessor ``easy_install`` (these issues can't readily
|
||
be fixed in ``easy_install`` itself due to backwards compatibility
|
||
concerns). ``pip`` is also well suited to working within the bounds of
|
||
a single Python runtime installation (including associated virtual
|
||
environments), which is a desirable feature for a tool bundled with CPython.
|
||
|
||
Other tools like ``zc.buildout`` and ``conda`` are more ambitious in their
|
||
aims (and hence substantially better than ``pip`` at handling external
|
||
binary dependencies), so it makes sense for the Python ecosystem to treat
|
||
them more like platform package managers to interoperate with rather than
|
||
as the default cross-platform installation tool. This relationship is
|
||
similar to that between ``pip`` and platform package management systems
|
||
like ``apt`` and ``yum`` (which are also designed to handle arbitrary
|
||
binary dependencies).
|
||
|
||
|
||
Proposal Overview
|
||
=================
|
||
|
||
This PEP proposes that the
|
||
`Installing Python Modules <http://docs.python.org/3/install>`__ guide be
|
||
updated to officially recommend the use of ``pip`` as the default
|
||
installer for Python packages, rather than the current approach of
|
||
recommending the direct invocation of the ``setup.py install`` command.
|
||
|
||
However, to avoid recommending a tool that CPython does not provide, it is
|
||
further proposed that the `pip`_ package manager be made available by
|
||
default when installing CPython 3.4 or later and when creating virtual
|
||
environments using the standard library's ``venv`` module via the
|
||
``pyvenv`` command line utility.
|
||
|
||
To support that end, this PEP proposes the inclusion of an ``ensurepip``
|
||
bootstrapping module in Python 3.4, as well as automatic invocation of that
|
||
module from ``pyvenv`` and changes to the way Python installed scripts are
|
||
handled on Windows. Using a bootstrap module rather than providing ``pip``
|
||
directly helps to clearly demarcate development responsibilities, and to
|
||
avoid inadvertently downgrading ``pip`` when updating CPython.
|
||
|
||
To provide clear guidance for new users of Python that may not be
|
||
starting with the latest release, this PEP also proposes that the
|
||
"Installing Python Modules" guides in Python 2.7 and 3.3 be updated to
|
||
recommend installing and using ``pip``, rather than invoking ``distutils``
|
||
directly. It does *not* propose backporting any of the code changes that
|
||
are being proposed for Python 3.4.
|
||
|
||
Finally, the PEP also strongly recommends that CPython redistributors and
|
||
other Python implementations ensure that ``pip`` is available by default, or
|
||
at the very least, explicitly document the fact that it is not included.
|
||
|
||
This PEP does *not* propose making pip (or any dependencies) directly
|
||
available as part of the standard library. Instead, pip will be a
|
||
bundled application provided along with CPython for the convenience
|
||
of Python users, but subject to its own development life cycle and able
|
||
to be upgraded independently of the core interpreter and standard library.
|
||
|
||
|
||
Explicit bootstrapping mechanism
|
||
================================
|
||
|
||
An additional module called ``ensurepip`` will be added to the standard
|
||
library whose purpose is to install pip and any of its dependencies into the
|
||
appropriate location (most commonly site-packages). It will expose a
|
||
callable named ``bootstrap()`` as well as offer direct execution via
|
||
``python -m ensurepip``.
|
||
|
||
The bootstrap will *not* contact PyPI, but instead rely on a private copy
|
||
of pip stored inside the standard library. Accordingly, only options
|
||
related to the installation location will be supported (``--user``,
|
||
``--root``, etc).
|
||
|
||
It is considered desirable that users be strongly encouraged to use the
|
||
latest available version of ``pip``, in order to take advantage of the
|
||
ongoing efforts to improve the security of the PyPI based ecosystem, as
|
||
well as benefiting from the efforts to improve the speed, reliability and
|
||
flexibility of that ecosystem.
|
||
|
||
In order to satisfy this goal of providing the most recent version of
|
||
``pip`` by default, the private copy of ``pip`` will be updated in CPython
|
||
maintenance releases, which should align well with the 6-month cycle used
|
||
for new ``pip`` releases.
|
||
|
||
|
||
Security considerations
|
||
-----------------------
|
||
|
||
The design in this PEP has been deliberately chosen to avoid making any
|
||
significant changes to the trust model of CPython for end users that do
|
||
not subsequently run the command ``pip install --upgrade pip``.
|
||
|
||
The installers will contain all the components of a fully functioning
|
||
version of Python, including the ``pip`` installer. The installation
|
||
process will *not* require network access, and will *not* rely on
|
||
trusting the security of the network connection established between
|
||
``pip`` and the Python package index.
|
||
|
||
Only users that choose to use ``pip`` to communicate with PyPI will
|
||
need to pay attention to the additional security considerations that come
|
||
with doing so.
|
||
|
||
However, the core CPython team will still assist with reviewing and
|
||
resolving at least the `certificate update management issue
|
||
<https://github.com/kennethreitz/requests/issues/1659>`__ currently
|
||
affecting the ``requests`` project (and hence ``pip``), and may also be
|
||
able to offer assistance in resolving other identified security concerns
|
||
[#cert-verification]_.
|
||
|
||
|
||
Reliability considerations
|
||
--------------------------
|
||
|
||
By including the bootstrap as part of the standard library (rather than
|
||
solely as a feature of the binary installers), the correct operation of
|
||
the bootstrap command can be easily tested using the existing CPython
|
||
buildbot infrastructure rather than adding significantly to the testing
|
||
burden for the installers themselves.
|
||
|
||
|
||
Implementation strategy
|
||
-----------------------
|
||
|
||
To ensure there is no need for network access when installing Python or
|
||
creating virtual environments, the ``ensurepip`` module will, as an
|
||
implementation detail, include a complete private copy of pip and its
|
||
dependencies which will be used to extract pip and install it into the target
|
||
environment. It is important to stress that this private copy of pip is
|
||
*only* an implementation detail and it should *not* be relied on or
|
||
assumed to exist beyond the public capabilities exposed through the
|
||
``ensurepip`` module (and indirectly through ``venv``).
|
||
|
||
There is not yet a reference ``ensurepip`` implementation. The existing
|
||
``get-pip.py`` bootstrap script demonstrates an earlier variation of the
|
||
general concept, but the standard library version would take advantage of
|
||
the improved distribution capabilities offered by the CPython installers
|
||
to include private copies of ``pip`` and ``setuptools`` as wheel files
|
||
(rather than as embedded base64 encoded data), and would not try to
|
||
contact PyPI (instead installing directly from the private wheel files.
|
||
|
||
Rather than including separate code to handle the bootstrapping, the
|
||
``ensurepip`` module will manipulate ``sys.path`` appropriately to allow
|
||
the wheel files to be used to install themselves, either into the current
|
||
Python installation or into a virtual environment (as determined by the
|
||
options passed to the bootstrap command).
|
||
|
||
It is proposed that the implementation be carried out in five separate
|
||
steps (all steps after the first two are independent of each other and
|
||
can be carried out in any order):
|
||
|
||
* the first step would update the "Installing Python Modules" documentation
|
||
to recommend the use of ``pip`` and reference the ``pip`` team's
|
||
instructions for downloading and installing it. This change would be
|
||
applied to Python 2.7, 3.3, and 3.4.
|
||
* the ``ensurepip`` module and the private copies of the most recently
|
||
released versions of pip and setuptools would be added to Python 3.4
|
||
and the 3.4 "Installing Python Modules" documentation updated accordingly.
|
||
* the CPython Windows installer would be updated to offer the new ``pip``
|
||
installation option for Python 3.4.
|
||
* the CPython Mac OS X installer would be updated to offer the new ``pip``
|
||
installation option for Python 3.4.
|
||
* the ``venv`` module and ``pyvenv`` command would be updated to make use
|
||
of ``ensurepip`` in Python 3.4
|
||
* the PATH handling on Windows would be updated for Python 3.4+
|
||
|
||
|
||
Integration timeline
|
||
--------------------
|
||
|
||
If this PEP is accepted, the proposed time frame for integration of ``pip``
|
||
into the CPython release is as follows:
|
||
|
||
* as soon as possible after the release of 3.4.0 alpha 4
|
||
|
||
* Documentation updated and ``ensurepip`` implemented based on a
|
||
pre-release version of ``pip`` 1.5.
|
||
|
||
* All other proposed functional changes for Python 3.4 implemented,
|
||
including the installer updates to invoke ``ensurepip``.
|
||
|
||
* by November 20th (3 days prior to the scheduled date of 3.4.0 beta 1)
|
||
|
||
* ``ensurepip`` updated to use a ``pip`` 1.5 release candidate.
|
||
|
||
* PEP 101 updated to cover ensuring the bundled version of ``pip`` is up
|
||
to date.
|
||
|
||
* by November 24th (scheduled date of 3.4.0 beta 1)
|
||
|
||
* As with any other new feature, all proposed functional changes for
|
||
Python 3.4 must be implemented prior to the beta feature freeze.
|
||
|
||
* by December 29th (1 week prior to the scheduled date of 3.4.0 beta 2)
|
||
|
||
* ``requests`` certificate management issue resolved
|
||
* ``ensurepip`` updated to the final release of ``pip`` 1.5, or a
|
||
subsequent maintenance release (including a suitably updated vendored
|
||
copy of ``requests``)
|
||
|
||
(See PEP 429 for the current official scheduled dates of each release. Dates
|
||
listed above are accurate as of October 20th, 2013.)
|
||
|
||
If there is no final or maintenance release of ``pip`` 1.5 with a suitable
|
||
updated version of ``requests`` available by one week before the scheduled
|
||
Python 3.4 beta 2 release, then implementation of this PEP will
|
||
be deferred to Python 3.5. Note that this scenario is considered unlikely -
|
||
the tentative date for the ``pip`` 1.5 release is currently December 1st.
|
||
|
||
In future CPython releases, this kind of coordinated scheduling shouldn't be
|
||
needed: the CPython release manager will be able to just update to the latest
|
||
released version of ``pip``. However, in this case, some fixes are needed in
|
||
``pip`` in order to allow the bundling to work correctly, and the
|
||
certificate update mechanism for ``requests`` needs to be improved, so the
|
||
``pip`` 1.5 release cycle needs to be properly aligned with the CPython 3.4
|
||
beta releases.
|
||
|
||
|
||
Proposed CLI
|
||
------------
|
||
|
||
The proposed CLI is based on a subset of the existing ``pip install``
|
||
options::
|
||
|
||
Usage:
|
||
python -m ensurepip [options]
|
||
|
||
General Options:
|
||
-h, --help Show help.
|
||
-v, --verbose Give more output. Option is additive, and can be used up to 3 times.
|
||
-V, --version Show the pip version that would be extracted and exit.
|
||
-q, --quiet Give less output.
|
||
|
||
Installation Options:
|
||
-U, --upgrade Upgrade pip and dependencies, even if already installed
|
||
--user Install using the user scheme.
|
||
--root <dir> Install everything relative to this alternate root directory.
|
||
|
||
In most cases, end users won't need to use this CLI directly, as ``pip``
|
||
should have been installed automatically when installing Python or when
|
||
creating a virtual environment. However, it is formally documented as a
|
||
public interface to support at least these known use cases:
|
||
|
||
* Windows and Mac OS X installations where the "Install pip" option was
|
||
*not* chosen during installation
|
||
* any installation where the user previously ran "pip uninstall pip"
|
||
|
||
Users that want to retrieve the latest version from PyPI, or otherwise
|
||
need more flexibility, can then invoke the extracted ``pip`` appropriately.
|
||
|
||
|
||
Proposed module API
|
||
-------------------
|
||
|
||
The proposed ``ensurepip`` module API consists of the following two
|
||
functions::
|
||
|
||
def version():
|
||
"""
|
||
Returns a string specifying the bundled version of pip.
|
||
"""
|
||
|
||
def bootstrap(root=None, upgrade=False, user=False, verbosity=0):
|
||
"""
|
||
Bootstrap pip into the current Python installation (or the given root
|
||
directory).
|
||
"""
|
||
|
||
|
||
Invocation from the CPython installers
|
||
--------------------------------------
|
||
|
||
The CPython Windows and Mac OS X installers will each gain a new option:
|
||
|
||
* Install pip (the default Python package management utility)?
|
||
|
||
This option will be checked by default.
|
||
|
||
If the option is checked, then the installer will invoke the following
|
||
command with the just installed Python::
|
||
|
||
python -m ensurepip --upgrade
|
||
|
||
This ensures that, by default, installing or updating CPython will ensure
|
||
that the installed version of pip is at least as recent as the one included
|
||
with that version of CPython. If a newer version of pip has already been
|
||
installed then ``python -m ensurepip --upgrade`` will simply return without
|
||
doing anything.
|
||
|
||
|
||
Installing from source
|
||
----------------------
|
||
|
||
Just as the prebuilt binary installers will be updated to run
|
||
``python -m ensurepip`` by default, a similar change will be made to the
|
||
``make install`` and ``make altinstall`` commands of the source
|
||
distribution. The directory settings in the ``sysconfig`` module should
|
||
ensure the ``pip`` components are automatically installed to the expected
|
||
locations.
|
||
|
||
``ensurepip`` itself (including the private copy of ``pip`` and its
|
||
dependencies) will always be installed normally (as it is a regular
|
||
part of the standard library), but an option will be provided to skip
|
||
the invocation of ``ensurepip``.
|
||
|
||
This means that even installing from source will provide ``pip`` by default,
|
||
but redistributors provide ``pip`` by other means (or not providing it at
|
||
all) will still be able to opt out of installing it using ``ensurepip``.
|
||
|
||
|
||
Changes to virtual environments
|
||
-------------------------------
|
||
|
||
Python 3.3 included a standard library approach to virtual Python environments
|
||
through the ``venv`` module. Since its release it has become clear that very
|
||
few users have been willing to use this feature directly, in part due to the
|
||
lack of an installer present by default inside of the virtual environment.
|
||
They have instead opted to continue using the ``virtualenv`` package which
|
||
*does* include pip installed by default.
|
||
|
||
To make the ``venv`` more useful to users it will be modified to issue the
|
||
pip bootstrap by default inside of the new environment while creating it. This
|
||
will allow people the same convenience inside of the virtual environment as
|
||
this PEP provides outside of it as well as bringing the ``venv`` module closer
|
||
to feature parity with the external ``virtualenv`` package, making it a more
|
||
suitable replacement.
|
||
|
||
To handle cases where a user does not wish to have pip bootstrapped into
|
||
their virtual environment a ``--without-pip`` option will be
|
||
added.
|
||
|
||
The ``venv.EnvBuilder`` and ``venv.create`` APIs will be updated to accept
|
||
one new parameter: ``with_pip`` (defaulting to ``False``).
|
||
|
||
The new default for the module API is chosen for backwards compatibility
|
||
with the current behaviour (as it is assumed that most invocation of the
|
||
``venv`` module happens through third part tools that likely will not
|
||
want ``pip`` installed without explicitly requesting it), while the
|
||
default for the command line interface is chosen to try to ensure ``pip``
|
||
is available in most virtual environments without additional action on the
|
||
part of the end user.
|
||
|
||
As this change will only benefit Python 3.4 and later versions, the
|
||
third-party ``virtualenv`` project will still be needed to obtain a
|
||
consistent cross-version experience in Python 3.3 and 2.7.
|
||
|
||
|
||
Documentation
|
||
-------------
|
||
|
||
The "Installing Python Modules" section of the standard library
|
||
documentation in Python 2.7, 3.3 and 3.4 will be updated to recommend
|
||
the use of the ``pip`` installer, either provided by default in Python 3.4
|
||
or retrieved and installed by the user in Python 2.7 or 3.3. It will give
|
||
a brief description of the most common commands and options, but delegate
|
||
to the externally maintained ``pip`` documentation for the full details.
|
||
|
||
In Python 3.4, the ``pyvenv`` and ``venv`` documentation will also be
|
||
updated to reference the revised module installation guide.
|
||
|
||
The existing content of the module installation guide will be retained in
|
||
all versions, but under a new "Invoking distutils directly" subsection.
|
||
|
||
|
||
Bundling CA certificates with CPython
|
||
-------------------------------------
|
||
|
||
The ``ensurepip`` implementation will include the ``pip`` CA bundle along
|
||
with the rest of ``pip``. This means CPython effectively includes
|
||
a CA bundle that is used solely by ``pip`` after it has been extracted.
|
||
|
||
This is considered preferable to relying solely on the system
|
||
certificate stores, as it ensures that ``pip`` will behave the same
|
||
across all supported versions of Python, even those prior to Python 3.4
|
||
that cannot access the system certificate store on Windows.
|
||
|
||
|
||
Automatic installation of setuptools
|
||
------------------------------------
|
||
|
||
``pip`` currently depends on ``setuptools`` to handle metadata generation
|
||
during the build process, along with some other features. While work is
|
||
ongoing to reduce or eliminate this dependency, it is not clear if that
|
||
work will be complete for pip 1.5 (which is the version likely to be current
|
||
when Python 3.4.0 is released).
|
||
|
||
This PEP proposes that, if pip still requires it as a dependency,
|
||
``ensurepip`` will include a private copy of ``setuptools`` (in addition
|
||
to the private copy of ``ensurepip``). ``python -m ensurepip`` will then
|
||
install the private copy in addition to installing ``pip`` itself.
|
||
|
||
However, this behavior is officially considered an implementation
|
||
detail. Other projects which explicitly require ``setuptools`` must still
|
||
provide an appropriate dependency declaration, rather than assuming
|
||
``setuptools`` will always be installed alongside ``pip``.
|
||
|
||
Once pip is able to run ``pip install --upgrade pip`` without needing
|
||
``setuptools`` installed first, then the private copy of ``setuptools``
|
||
will be removed from ``ensurepip`` in subsequent CPython releases.
|
||
|
||
As long as setuptools is needed, it will be a completely unmodified copy of
|
||
the latest upstream setuptools release, including the ``easy_install``
|
||
script if the upstream setuptools continues to include it. The installation
|
||
of ``easy_install`` along with ``pip`` isn't considered desirable, but
|
||
installing a broken setuptools would be worse. This problem will
|
||
naturally resolve itself once the ``pip`` developers have managed to
|
||
eliminate their dependency on ``setuptools`` and the private copy of
|
||
``setuptools`` can be removed entirely from CPython.
|
||
|
||
|
||
Updating the private copy of pip
|
||
--------------------------------
|
||
|
||
In order to keep up with evolutions in packaging as well as providing users
|
||
with as recent version a possible the ``ensurepip`` module will be
|
||
regularly updated to the latest versions of everything it bootstraps.
|
||
|
||
After each new ``pip`` release, and again during the preparation for any
|
||
release of Python (including feature releases), a script, provided as part
|
||
of the implementation for this PEP, will be run to ensure the private
|
||
copies stored in the CPython source repository have been updated to the
|
||
latest versions.
|
||
|
||
|
||
Updating the ensurepip module API and CLI
|
||
-----------------------------------------
|
||
|
||
Like ``venv`` and ``pyvenv``, the ``ensurepip`` module API and CLI
|
||
will be governed by the normal rules for the standard library: no
|
||
new features are permitted in maintenance releases.
|
||
|
||
However, the embedded components may be updated as noted above, so
|
||
the extracted ``pip`` may offer additional functionality in maintenance
|
||
releases.
|
||
|
||
|
||
Uninstallation
|
||
==============
|
||
|
||
No changes are proposed to the CPython uninstallation process by this PEP.
|
||
The bootstrapped pip will be installed the same way as any other pip
|
||
installed packages, and will be handled in the same way as any other
|
||
post-install additions to the Python environment.
|
||
|
||
At least on Windows, that means the bootstrapped files will be
|
||
left behind after uninstallation, since those files won't be associated
|
||
with the Python MSI installer.
|
||
|
||
While the case can be made for the CPython installers clearing out these
|
||
directories automatically, changing that behaviour is considered outside
|
||
the scope of this PEP.
|
||
|
||
|
||
Script Execution on Windows
|
||
===========================
|
||
|
||
While the Windows installer was updated in Python 3.3 to optionally
|
||
make ``python`` available on the PATH, no such change was made to
|
||
include the script installation directory returned by
|
||
``sysconfig.get_path("scripts")``.
|
||
|
||
Accordingly, in addition to adding the option to extract and install ``pip``
|
||
during installation, this PEP proposes that the Windows installer in
|
||
Python 3.4 and later be updated to also add the path returned by
|
||
``sysconfig.get_path("scripts")`` to the Windows PATH when the PATH
|
||
modification option is enabled during installation
|
||
|
||
Note that this change will only be available in Python 3.4 and later.
|
||
|
||
This means that, for Python 3.3, the most reliable way to invoke pip globally
|
||
on Windows (without tinkering manually with PATH) will still remain
|
||
``py -m pip`` (or ``py -3 -m pip`` to select the Python 3 version if both
|
||
Python 2 and 3 are installed) rather than simply calling ``pip``. This
|
||
works because Python 3.3 provides the Python Launcher for
|
||
Windows (and the associated ``py`` command) by default.
|
||
|
||
For Python 2.7 and 3.2, the most reliable mechanism will be to install the
|
||
Python Launcher for Windows using the standalone installer and then use
|
||
``py -m pip`` as noted above.
|
||
|
||
Adding the scripts directory to the system PATH will mean that ``pip``
|
||
works reliably in the "only one Python installation on the system PATH"
|
||
case, with ``py -m pip``, ``pipX``, or ``pipX.Y`` needed only to select a
|
||
non-default version in the parallel installation case (and outside a virtual
|
||
environment). This change should also make the ``pyvenv`` command substantially
|
||
easier to invoke on Windows, along with all scripts installed by ``pip``,
|
||
``easy_install`` and similar tools.
|
||
|
||
While the script invocations on recent versions of Python will run through
|
||
the Python launcher for Windows, this shouldn't cause any issues, as long
|
||
as the Python files in the Scripts directory correctly specify a Python version
|
||
in their shebang line or have an adjacent Windows executable (as
|
||
``easy_install`` and ``pip`` do).
|
||
|
||
|
||
Recommendations for Downstream Distributors
|
||
===========================================
|
||
|
||
A common source of Python installations are through downstream distributors
|
||
such as the various Linux Distributions [#ubuntu]_ [#debian]_ [#fedora]_, OSX
|
||
package managers [#homebrew]_ [#macports]_ [#fink]_, and commercial Python
|
||
redistributors [#ContinuumIO]_ [#ActiveState]_ [#Enthought]_. In order to
|
||
provide a consistent, user-friendly experience to all users of Python
|
||
regardless of how they obtained Python this PEP recommends and asks that
|
||
downstream distributors:
|
||
|
||
* Ensure that whenever Python is installed ``pip`` is either installed or is
|
||
otherwise made readily available to end users.
|
||
|
||
* For redistributors using binary installers, this may take the form of
|
||
optionally executing the ``ensurepip`` bootstrap during installation,
|
||
similar to the CPython installers.
|
||
* For redistributors using package management systems, it may take the
|
||
form of separate packages with dependencies on each other so that
|
||
installing the Python package installs the pip package and installing
|
||
the pip package installs the Python package.
|
||
* Another reasonable way to implement this is to package pip separately but
|
||
ensure that there is some sort of global hook that will recommend
|
||
installing the separate pip package when a user executes ``pip`` without
|
||
it being installed. Systems that choose this option should ensure that
|
||
the ``ensurepip`` module still installs pip directly when invoked inside
|
||
a virtual environment, but may modify the module in the system Python
|
||
installation to redirect to the platform provided mechanism when
|
||
installing ``pip`` globally.
|
||
|
||
* Even if pip is made available globally by other means, do not remove the
|
||
``ensurepip`` module in Python 3.4 or later.
|
||
|
||
* ``ensurepip`` will be required for automatic installation of pip into
|
||
virtual environments by the ``venv`` module.
|
||
* This is similar to the existing ``virtualenv`` package for which many
|
||
downstream distributors have already made exception to the common
|
||
"debundling" policy.
|
||
* This does mean that if ``pip`` needs to be updated due to a security
|
||
issue, so does the private copy in the ``ensurepip`` bootstrap module
|
||
* However, altering the private copy of pip to remove the embedded
|
||
CA certificate bundle and rely on the system CA bundle instead is a
|
||
reasonable change.
|
||
|
||
* Ensure that all features of this PEP continue to work with any modifications
|
||
made to the redistributed version of Python.
|
||
|
||
* Checking the version of pip that will be bootstrapped using
|
||
``python -m ensurepip --version`` or ``ensurepip.version()``.
|
||
* Installation of pip into a global or virtual python environment using
|
||
``python -m ensurepip`` or ``ensurepip.bootstrap()``.
|
||
* ``pip install --upgrade pip`` in a global installation should not affect
|
||
any already created virtual environments (but is permitted to affect
|
||
future virtual environments, even though it will not do so when using
|
||
the standard implementation of ``ensurepip``).
|
||
* ``pip install --upgrade pip`` in a virtual environment should not affect
|
||
the global installation.
|
||
|
||
* Migrate build systems to utilize `pip`_ and `Wheel`_ wherever feasible
|
||
and avoid directly invoking ``setup.py``.
|
||
|
||
* This will help ensure a smoother and more timely migration to improved
|
||
metadata formats as the Python packaging ecosystem continues to evolve.
|
||
|
||
In the event that a Python redistributor chooses *not* to follow these
|
||
recommendations, we request that they explicitly document this fact and
|
||
provide their users with suitable guidance on translating upstream ``pip``
|
||
based installation instructions into something appropriate for the platform.
|
||
|
||
Other Python implementations are also encouraged to follow these guidelines
|
||
where applicable.
|
||
|
||
|
||
Policies & Governance
|
||
=====================
|
||
|
||
The maintainers of the bootstrapped software and the CPython core team will
|
||
work together in order to address the needs of both. The bootstrapped
|
||
software will still remain external to CPython and this PEP does not
|
||
include CPython subsuming the development responsibilities or design
|
||
decisions of the bootstrapped software. This PEP aims to decrease the
|
||
burden on end users wanting to use third-party packages and the
|
||
decisions inside it are pragmatic ones that represent the trust that the
|
||
Python community has already placed in the Python Packaging Authority as
|
||
the authors and maintainers of ``pip``, ``setuptools``, PyPI, ``virtualenv``
|
||
and other related projects.
|
||
|
||
|
||
Backwards Compatibility
|
||
-----------------------
|
||
|
||
The public API and CLI of the ``ensurepip`` module itself will fall under
|
||
the typical backwards compatibility policy of Python for its standard
|
||
library. The externally developed software that this PEP bundles does not.
|
||
|
||
Most importantly, this means that the bootstrapped version of pip may gain
|
||
new features in CPython maintenance releases, and pip continues to operate on
|
||
its own 6 month release cycle rather than CPython's 18-24 month cycle.
|
||
|
||
|
||
Security Releases
|
||
-----------------
|
||
|
||
Any security update that affects the ``ensurepip`` module will be shared
|
||
prior to release with the Python Security Response Team
|
||
(security@python.org). The PSRT will then decide if the reported issue
|
||
warrants a security release of CPython with an updated private copy of
|
||
``pip``.
|
||
|
||
|
||
Licensing
|
||
---------
|
||
|
||
``pip`` is currently licensed as 1 Clause BSD, and it contains code taken
|
||
from other projects. Additionally this PEP will include setuptools until
|
||
such time as pip no longer requires it. The licenses for these appear in
|
||
the table below.
|
||
|
||
================= ============
|
||
Project License
|
||
================= ============
|
||
requests Apache 2.0
|
||
six 1 Clause BSD
|
||
html5lib 1 Clause BSD
|
||
distlib PSF
|
||
colorama 3 Clause BSD
|
||
Mozilla CA Bundle LGPL
|
||
setuptools PSF
|
||
================= ============
|
||
|
||
All of these licenses should be compatible with the PSF license. Additionally
|
||
it is unclear if a CA Bundle is copyrightable material and thus if it needs
|
||
or can be licensed at all.
|
||
|
||
|
||
Appendix: Rejected Proposals
|
||
============================
|
||
|
||
|
||
Changing the name of the scripts directory on Windows
|
||
-----------------------------------------------------
|
||
|
||
Earlier versions of this PEP proposed changing the name of the script
|
||
installation directory on Windows from "Scripts" to "bin" in order to
|
||
improve the cross-platform consistency of the virtual environments created
|
||
by ``pyvenv``.
|
||
|
||
However, Paul Moore determined that this change was likely backwards
|
||
incompatible with cross-version Windows installers created with previous
|
||
versions of Python, so the change has been removed from this PEP
|
||
[#windows-incompatibility]_.
|
||
|
||
|
||
Including ensurepip in Python 2.7, and 3.3
|
||
------------------------------------------
|
||
|
||
Earlier versions of this PEP made the case that the challenges of getting
|
||
``pip`` bootstrapped for new users posed a significant enough barrier to
|
||
Python's future growth that it justified adding ``ensurepip`` as a new
|
||
feature in the upcoming Python 2.7 and 3.3 maintenance releases.
|
||
|
||
While the proposal to provide ``pip`` with Python 3.4 was universally
|
||
popular, this part of the proposal was highly controversial and ultimately
|
||
`rejected by MvL as BDFL-Delegate
|
||
<https://mail.python.org/pipermail/python-dev/2013-September/129091.html>`__.
|
||
|
||
Accordingly, the proposal to backport ``ensurepip`` to Python 2.7 and 3.3
|
||
has been removed from this PEP in favour of creating a Windows installer
|
||
for ``pip`` and a possible future PEP suggesting creation of an aggregate
|
||
installer for Python 2.7 that combines CPython 2.7, ``pip`` and the Python
|
||
Launcher for Windows.
|
||
|
||
|
||
Automatically contacting PyPI when bootstrapping pip
|
||
----------------------------------------------------
|
||
|
||
Earlier versions of this PEP called the bootstrapping module ``getpip`` and
|
||
defaulted to downloading and installing ``pip`` from PyPI, with the private
|
||
copy used only as a fallback option or when explicitly requested.
|
||
|
||
This resulted in several complex edge cases, along with difficulties in
|
||
defining a clean API and CLI for the bootstrap module. It also significantly
|
||
altered the default trust model for the binary installers published on
|
||
python.org, as end users would need to explicitly *opt-out* of trusting
|
||
the security of the PyPI ecosystem (rather than opting in to it by
|
||
explicitly invoking ``pip`` following installation).
|
||
|
||
As a result, the PEP was simplified to the current design, where the
|
||
bootstrapping *always* uses the private copy of ``pip``. Contacting PyPI
|
||
is now always an explicit separate step, with direct access to the full
|
||
pip interface.
|
||
|
||
Removing the implicit attempt to access PyPI also made it feasible to
|
||
invoke ``ensurepip`` by default when installing from a custom source build.
|
||
|
||
|
||
Implicit bootstrap
|
||
------------------
|
||
|
||
`PEP439`_, the predecessor for this PEP, proposes its own solution. Its
|
||
solution involves shipping a fake ``pip`` command that when executed would
|
||
implicitly bootstrap and install pip if it does not already exist. This has
|
||
been rejected because it is too "magical". It hides from the end user when
|
||
exactly the pip command will be installed or that it is being installed at
|
||
all. It also does not provide any recommendations or considerations towards
|
||
downstream packagers who wish to manage the globally installed pip through
|
||
the mechanisms typical for their system.
|
||
|
||
The implicit bootstrap mechanism also ran into possible permissions issues,
|
||
if a user inadvertently attempted to bootstrap pip without write access to
|
||
the appropriate installation directories.
|
||
|
||
|
||
Including pip directly in the standard library
|
||
----------------------------------------------
|
||
|
||
Similar to this PEP is the proposal of just including pip in the standard
|
||
library. This would ensure that Python always includes pip and fixes all of the
|
||
end user facing problems with not having pip present by default. This has been
|
||
rejected because we've learned, through the inclusion and history of
|
||
``distutils`` in the standard library, that losing the ability to update the
|
||
packaging tools independently can leave the tooling in a state of constant
|
||
limbo. Making it unable to ever reasonably evolve in a time frame that actually
|
||
affects users as any new features will not be available to the general
|
||
population for *years*.
|
||
|
||
Allowing the packaging tools to progress separately from the Python release
|
||
and adoption schedules allows the improvements to be used by *all* members
|
||
of the Python community and not just those able to live on the bleeding edge
|
||
of Python releases.
|
||
|
||
There have also been issues in the past with the "dual maintenance" problem
|
||
if a project continues to be maintained externally while *also* having a
|
||
fork maintained in the standard library. Since external maintenance of
|
||
``pip`` will always be needed to support earlier Python versions, the
|
||
proposed bootstrapping mechanism will becoming the explicit responsibility
|
||
of the CPython core developers (assisted by the pip developers), while
|
||
pip issues reported to the CPython tracker will be migrated to the pip
|
||
issue tracker. There will no doubt still be some user confusion over which
|
||
tracker to use, but hopefully less than has been seen historically when
|
||
including complete public copies of third-party projects in the standard
|
||
library.
|
||
|
||
The approach described in this PEP also avoids some technical issues
|
||
related to handling CPython maintenance updates when pip has been
|
||
independently updated to a more recent version. The proposed pip-based
|
||
bootstrapping mechanism handles that automatically, since pip and the
|
||
system installer never get into a fight about who owns the pip
|
||
installation (it is always managed through pip, either directly, or
|
||
indirectly via the ``ensurepip`` bootstrap module).
|
||
|
||
Finally, the separate bootstrapping step means it is also easy to avoid
|
||
installing ``pip`` at all if end users so desire. This is often the case
|
||
if integrators are using system packages to handle installation of
|
||
components written in multiple languages using a common set of tools.
|
||
|
||
|
||
Defaulting to --user installation
|
||
---------------------------------
|
||
|
||
Some consideration was given to bootstrapping pip into the per-user
|
||
site-packages directory by default. However, this behavior would be
|
||
surprising (as it differs from the default behavior of pip itself)
|
||
and is also not currently considered reliable (there are some edge cases
|
||
which are not handled correctly when pip is installed into the user
|
||
site-packages directory rather than the system site-packages).
|
||
|
||
|
||
.. _Wheel: http://www.python.org/dev/peps/pep-0427/
|
||
.. _pip: http://www.pip-installer.org
|
||
.. _setuptools: https://pypi.python.org/pypi/setuptools
|
||
.. _PEP439: http://www.python.org/dev/peps/pep-0439/
|
||
|
||
|
||
References
|
||
==========
|
||
|
||
.. [1] Discussion thread 1 (distutils-sig)
|
||
(https://mail.python.org/pipermail/distutils-sig/2013-August/022529.html)
|
||
|
||
.. [2] Discussion thread 2 (distutils-sig)
|
||
(https://mail.python.org/pipermail/distutils-sig/2013-September/022702.html)
|
||
|
||
.. [3] Discussion thread 3 (python-dev)
|
||
(https://mail.python.org/pipermail/python-dev/2013-September/128723.html)
|
||
|
||
.. [4] Discussion thread 4 (python-dev)
|
||
(https://mail.python.org/pipermail/python-dev/2013-September/128780.html)
|
||
|
||
.. [5] Discussion thread 5 (python-dev)
|
||
(https://mail.python.org/pipermail/python-dev/2013-September/128894.html)
|
||
|
||
.. [#cert-verification] pip/requests certificate management concerns
|
||
(https://mail.python.org/pipermail/python-dev/2013-October/129755.html)
|
||
|
||
.. [#windows-incompatibility] Windows installer compatibility concerns
|
||
(https://mail.python.org/pipermail/distutils-sig/2013-October/022855.html)
|
||
|
||
.. [#ubuntu] `Ubuntu <http://www.ubuntu.com/>`
|
||
.. [#debian] `Debian <http://www.debian.org>`
|
||
.. [#fedora] `Fedora <https://fedoraproject.org/>`
|
||
.. [#homebrew] `Homebrew <http://brew.sh/>`
|
||
.. [#macports] `MacPorts <http://macports.org>`
|
||
.. [#fink] `Fink <http://finkproject.org>`
|
||
.. [#ContinuumIO] `Anaconda <https://store.continuum.io/cshop/anaconda/>`
|
||
.. [#ActiveState] `ActivePython <http://www.activestate.com/activepython>`
|
||
.. [#Enthought] `Enthought Canopy <https://www.enthought.com/products/canopy/>`
|
||
|
||
Copyright
|
||
=========
|
||
|
||
This document has been placed in the public domain.
|
||
|
||
|
||
|
||
..
|
||
Local Variables:
|
||
mode: indented-text
|
||
indent-tabs-mode: nil
|
||
sentence-end-double-space: t
|
||
fill-column: 70
|
||
coding: utf-8
|
||
End:
|