1056 lines
48 KiB
Plaintext
1056 lines
48 KiB
Plaintext
PEP: 453
|
|
Title: Explicit bootstrapping of pip in Python installations
|
|
Author: Donald Stufft <donald@stufft.io>,
|
|
Nick Coghlan <ncoghlan@gmail.com>
|
|
BDFL-Delegate: Martin von Löwis
|
|
Status: Final
|
|
Type: Standards Track
|
|
Content-Type: text/x-rst
|
|
Created: 10-Aug-2013
|
|
Post-History: 30-Aug-2013, 15-Sep-2013, 18-Sep-2013, 19-Sep-2013,
|
|
23-Sep-2013, 29-Sep-2013, 13-Oct-2013, 20-Oct-2013
|
|
Resolution: https://mail.python.org/pipermail/python-dev/2013-October/129810.html
|
|
|
|
|
|
Abstract
|
|
========
|
|
|
|
This PEP proposes that the
|
|
`Installing Python Modules <http://docs.python.org/3/install>`__ guide in
|
|
Python 2.7, 3.3 and 3.4 be updated to officially recommend the use of ``pip``
|
|
as the default installer for Python packages, and that appropriate technical
|
|
changes be made in Python 3.4 to provide ``pip`` by default in support of
|
|
that recommendation.
|
|
|
|
|
|
PEP Acceptance
|
|
==============
|
|
|
|
This PEP was accepted for inclusion in Python 3.4 by Martin von Löwis on
|
|
Tuesday 22nd October, 2013.
|
|
|
|
`Issue 19347 <https://github.com/python/cpython/issues/63546>`__ has been created to
|
|
track the implementation of this PEP.
|
|
|
|
|
|
Rationale
|
|
=========
|
|
|
|
There are two related, but distinct rationales for the proposal in this
|
|
PEP. The first relates to the experience of new users, while the second
|
|
relates to better enabling the evolution of the broader Python packaging
|
|
ecosystem.
|
|
|
|
|
|
Improving the new user experience
|
|
---------------------------------
|
|
|
|
Currently, on systems without a platform package manager and repository,
|
|
installing a third-party Python package into a freshly installed Python
|
|
requires first identifying an appropriate package manager and then
|
|
installing it.
|
|
|
|
Even on systems that *do* have a platform package manager, it is unlikely to
|
|
include every package that is available on the Python Package Index, and
|
|
even when a desired third-party package is available, the correct name in
|
|
the platform package manager may not be clear.
|
|
|
|
This means that, to work effectively with the Python Package Index
|
|
ecosystem, users must know which package manager to install, where to get
|
|
it, and how to install it. The effect of this is that third-party Python
|
|
projects are currently required to choose from a variety of undesirable
|
|
alternatives:
|
|
|
|
* Assume the user already has a suitable cross-platform package manager
|
|
installed.
|
|
* Duplicate the instructions and tell their users how to install the
|
|
package manager.
|
|
* Completely forgo the use of dependencies to ease installation concerns
|
|
for their users.
|
|
|
|
All of these available options have significant drawbacks.
|
|
|
|
If a project simply assumes a user already has the tooling then beginning
|
|
users may get a confusing error message when the installation command
|
|
doesn't work. Some operating systems may ease this pain by providing a
|
|
global hook that looks for commands that don't exist and suggest an OS
|
|
package they can install to make the command work, but that only works
|
|
on systems with platform package managers that include a package that
|
|
provides the relevant cross-platform installer command (such as many major
|
|
Linux distributions). No such assistance is available for Windows and
|
|
Mac OS X users, or more conservative Linux distributions. The challenges
|
|
of dealing with this problem for beginners (who are often also completely
|
|
new to programming, the use of command line tools and editing system
|
|
environment variables) are a regular feature of feedback the core Python
|
|
developers receive from professional educators and others introducing new
|
|
users to Python.
|
|
|
|
If a project chooses to duplicate the installation instructions and tell
|
|
their users how to install the package manager before telling them how to
|
|
install their own project then whenever these instructions need updates
|
|
they need updating by every project that has duplicated them. This is
|
|
particular problematic when there are multiple competing installation
|
|
tools available, and different projects recommend different tools.
|
|
|
|
This specific problem can be partially alleviated by strongly promoting
|
|
``pip`` as the default installer and recommending that other projects
|
|
reference `pip's own bootstrapping instructions
|
|
<http://www.pip-installer.org/en/latest/installing.html>`__ rather than
|
|
duplicating them. However the user experience created by this approach
|
|
still isn't particularly good (although there is an effort under way to
|
|
create a combined Windows installer for ``pip`` and its dependencies that
|
|
should improve matters on that platform, and Mac OS X and \*nix platforms
|
|
generally have ``wget`` and hence the ability to easily download and run the
|
|
bootstrap scripts from the command line).
|
|
|
|
The projects that have decided to forgo dependencies altogether are forced
|
|
to either duplicate the efforts of other projects by inventing their own
|
|
solutions to problems or are required to simply include the other projects
|
|
in their own source trees. Both of these options present their own problems
|
|
either in duplicating maintenance work across the ecosystem or potentially
|
|
leaving users vulnerable to security issues because the included code or
|
|
duplicated efforts are not automatically updated when upstream releases a new
|
|
version.
|
|
|
|
By officially recommending and providing by default a specific cross-platform
|
|
package manager it will be easier for users trying to install these
|
|
third-party packages as well as easier for the people distributing them as
|
|
they should now be able to safely assume that most users will have the
|
|
appropriate installation tools available (or access to clear instructions on
|
|
how to obtain them). This is expected to become more important in the future
|
|
as the :pep:`Wheel <427>` package format (deliberately) does not have a built in
|
|
"installer" in the form of ``setup.py`` so users wishing to install
|
|
from a wheel file will want an installer even in the simplest cases.
|
|
|
|
Reducing the burden of actually installing a third-party package should
|
|
also decrease the pressure to add every useful module to the standard
|
|
library. This will allow additions to the standard library to focus more
|
|
on why Python should have a particular tool out of the box, and why it
|
|
is reasonable for that package to adopt the standard library's 18-24 month
|
|
feature release cycle, instead of using the general difficulty of installing
|
|
third-party packages as justification for inclusion.
|
|
|
|
Providing a standard installation system also helps with bootstrapping
|
|
alternate build and installer systems, such as ``zc.buildout``, ``hashdist``
|
|
and ``conda``. So long as ``pip install <tool>`` works, then a standard
|
|
Python-specific installer provides a reasonably secure, cross platform
|
|
mechanism to get access to these utilities.
|
|
|
|
|
|
Enabling the evolution of the broader Python packaging ecosystem
|
|
----------------------------------------------------------------
|
|
|
|
As no new packaging standard can achieve widespread adoption without a
|
|
transition strategy that covers the versions of Python that are in
|
|
widespread *current* use (rather than merely future versions, like most
|
|
language features), the change proposed in this PEP is considered a
|
|
necessary step in the evolution of the Python packaging ecosystem
|
|
|
|
The broader community has embraced the Python Package Index as a mechanism
|
|
for distributing and installing Python software, but the different concerns
|
|
of language evolution and secure software distribution mean that a faster
|
|
feature release cycle that encompasses older versions is needed to properly
|
|
support the latter.
|
|
|
|
In addition, the core CPython development team have the luxury of
|
|
dropping support for earlier Python versions well before the rest of the
|
|
community, as downstream commercial redistributors pick up the task of
|
|
providing support for those versions to users that still need it, while
|
|
many third party libraries maintain compatibility with those versions as
|
|
long as they remain in widespread use.
|
|
|
|
This means that the current ``setup.py install`` based model for package
|
|
installation poses serious difficulties for the development and adoption
|
|
of new packaging standards, as, depending on how a project writes their
|
|
``setup.py`` file, the installation command (along with other operations)
|
|
may end up invoking the standard library's ``distutils`` package.
|
|
|
|
As an indicator of how this may cause problems for the broader ecosystem,
|
|
consider that the feature set of ``distutils`` in Python 2.6 was frozen
|
|
in June 2008 (with the release of Python 2.6b1), while the feature set of
|
|
``distutils`` in Python 2.7 was frozen in April 2010 (with the release of
|
|
Python 2.7b1).
|
|
|
|
By contrast, using a separate installer application like ``pip`` (which
|
|
ensures that even ``setup.py`` files that invoke ``distutils`` directly
|
|
still support the new packaging standards) makes it possible to support
|
|
new packaging standards in older versions of Python, just by upgrading
|
|
``pip`` (which receives new feature releases roughly every 6 months). The
|
|
situation on older versions of Python is further improved by making it
|
|
easier for end users to install and upgrade newer build systems like
|
|
``setuptools`` or improved PyPI upload utilities like ``twine``.
|
|
|
|
It is not coincidental that this proposed model of using a separate installer
|
|
program with more metadata heavy and less active distribution formats matches
|
|
that used by most operating systems (including Windows since the introduction
|
|
of the installer service and the MSI file format), as well as many other
|
|
language specific installers.
|
|
|
|
For Python 2.6, this compatibility issue is largely limited to various
|
|
enterprise Linux distributions (and their downstream derivatives). These
|
|
distributions often have even slower update cycles than CPython, so they
|
|
offer full support for versions of Python that are considered "security
|
|
fix only" versions upstream (and sometimes may even be to the point where
|
|
the core development team no longer support them at all - you can still get
|
|
commercial support for Python 2.3 if you really need it!).
|
|
|
|
In practice, the fact that tools like ``wget`` and ``curl`` are readily
|
|
available on Linux systems, that most users of Python on Linux are
|
|
already familiar with the command line, and that most Linux distributions
|
|
ship with a default configuration that makes running Python scripts easy,
|
|
means that the existing ``pip`` bootstrapping instructions for any \*nix
|
|
system are already quite straightforward. Even if ``pip`` isn't provided by
|
|
the system package manager, then using ``wget`` or ``curl`` to retrieve the
|
|
bootstrap script from www.pip-installer.org and then running it is just a
|
|
couple of shell commands that can easily be copied and pasted as necessary.
|
|
|
|
Accordingly, for any version of Python on any \*nix system, the need to
|
|
bootstrap ``pip`` in older versions isn't considered a major barrier to
|
|
adoption of new packaging standards, since it's just one more small
|
|
speedbump encountered by users of these long term stable releases. For
|
|
\*nix systems, this PEP's formal endorsement of ``pip`` as the preferred
|
|
default packaging tool is seen as more important than the underlying
|
|
technical details involved in making ``pip`` available by default, since
|
|
it shifts the nature of the conversation between the developers of ``pip``
|
|
and downstream repackagers of both ``pip`` and CPython.
|
|
|
|
For Python 2.7, on the other hand, the compatibility issue for adopting new
|
|
metadata standards is far more widespread, as it affects the python.org
|
|
binary installers for Windows and Mac OS X, as well as even relatively
|
|
fast moving \*nix platforms.
|
|
|
|
Firstly, and unlike Python 2.6, Python 2.7 is still a fully supported
|
|
upstream version, and will remain so until the release of Python 2.7.9
|
|
(currently scheduled for May 2015), at which time it is expected to enter
|
|
the usual "security fix only" mode. That means there are at least another
|
|
19 months where Python 2.7 is a deployment target for Python applications
|
|
that enjoys full upstream support. Even after the core development team
|
|
switches 2.7 to security release only mode in 2015, Python 2.7 will likely
|
|
remain a commercially supported legacy target out beyond 2020.
|
|
|
|
While Python 3 already presents a compelling alternative over Python 2 for
|
|
*new* Python applications and deployments without an existing investment
|
|
in Python 2 and without a dependency on specific Python 2 only third party
|
|
modules (a set which is getting ever smaller over time), it is going to take
|
|
longer to create compelling business cases to update existing Python 2.7
|
|
based infrastructure to Python 3, especially in situations where the culture
|
|
of automated testing is weak (or nonexistent), making it difficult to
|
|
effectively use the available migration utilities.
|
|
|
|
While this PEP only proposes documentation changes for Python 2.7, once
|
|
``pip`` has a Windows installer available, a separate PEP will be created
|
|
and submitted proposing the creation and distribution of aggregate installers
|
|
for future CPython 2.7 maintenance releases that combine the CPython,
|
|
``pip`` and Python Launcher for Windows installers into a single download
|
|
(the separate downloads would still remain available - the aggregate
|
|
installers would be provided as a convenience, and as a clear indication
|
|
of the recommended operating environment for Python in Windows systems).
|
|
|
|
|
|
Why pip?
|
|
--------
|
|
|
|
``pip`` has been chosen as the preferred default installer, as it is an
|
|
already popular tool that addresses several design and user experience
|
|
issues with its predecessor ``easy_install`` (these issues can't readily
|
|
be fixed in ``easy_install`` itself due to backwards compatibility
|
|
concerns). ``pip`` is also well suited to working within the bounds of
|
|
a single Python runtime installation (including associated virtual
|
|
environments), which is a desirable feature for a tool bundled with CPython.
|
|
|
|
Other tools like ``zc.buildout`` and ``conda`` are more ambitious in their
|
|
aims (and hence substantially better than ``pip`` at handling external
|
|
binary dependencies), so it makes sense for the Python ecosystem to treat
|
|
them more like platform package managers to interoperate with rather than
|
|
as the default cross-platform installation tool. This relationship is
|
|
similar to that between ``pip`` and platform package management systems
|
|
like ``apt`` and ``yum`` (which are also designed to handle arbitrary
|
|
binary dependencies).
|
|
|
|
|
|
Proposal Overview
|
|
=================
|
|
|
|
This PEP proposes that the
|
|
`Installing Python Modules <http://docs.python.org/3/install>`__ guide be
|
|
updated to officially recommend the use of ``pip`` as the default
|
|
installer for Python packages, rather than the current approach of
|
|
recommending the direct invocation of the ``setup.py install`` command.
|
|
|
|
However, to avoid recommending a tool that CPython does not provide, it is
|
|
further proposed that the `pip`_ package manager be made available by
|
|
default when installing CPython 3.4 or later and when creating virtual
|
|
environments using the standard library's ``venv`` module via the
|
|
``pyvenv`` command line utility.
|
|
|
|
To support that end, this PEP proposes the inclusion of an ``ensurepip``
|
|
bootstrapping module in Python 3.4, as well as automatic invocation of that
|
|
module from ``pyvenv`` and changes to the way Python installed scripts are
|
|
handled on Windows. Using a bootstrap module rather than providing ``pip``
|
|
directly helps to clearly demarcate development responsibilities, and to
|
|
avoid inadvertently downgrading ``pip`` when updating CPython.
|
|
|
|
To provide clear guidance for new users of Python that may not be
|
|
starting with the latest release, this PEP also proposes that the
|
|
"Installing Python Modules" guides in Python 2.7 and 3.3 be updated to
|
|
recommend installing and using ``pip``, rather than invoking ``distutils``
|
|
directly. It does *not* propose backporting any of the code changes that
|
|
are being proposed for Python 3.4.
|
|
|
|
Finally, the PEP also strongly recommends that CPython redistributors and
|
|
other Python implementations ensure that ``pip`` is available by default, or
|
|
at the very least, explicitly document the fact that it is not included.
|
|
|
|
This PEP does *not* propose making pip (or any dependencies) directly
|
|
available as part of the standard library. Instead, pip will be a
|
|
bundled application provided along with CPython for the convenience
|
|
of Python users, but subject to its own development life cycle and able
|
|
to be upgraded independently of the core interpreter and standard library.
|
|
|
|
|
|
Explicit bootstrapping mechanism
|
|
================================
|
|
|
|
An additional module called ``ensurepip`` will be added to the standard
|
|
library whose purpose is to install pip and any of its dependencies into the
|
|
appropriate location (most commonly site-packages). It will expose a
|
|
callable named ``bootstrap()`` as well as offer direct execution via
|
|
``python -m ensurepip``.
|
|
|
|
The bootstrap will *not* contact PyPI, but instead rely on a private copy
|
|
of pip stored inside the standard library. Accordingly, only options
|
|
related to the installation location will be supported (``--user``,
|
|
``--root``, etc).
|
|
|
|
It is considered desirable that users be strongly encouraged to use the
|
|
latest available version of ``pip``, in order to take advantage of the
|
|
ongoing efforts to improve the security of the PyPI based ecosystem, as
|
|
well as benefiting from the efforts to improve the speed, reliability and
|
|
flexibility of that ecosystem.
|
|
|
|
In order to satisfy this goal of providing the most recent version of
|
|
``pip`` by default, the private copy of ``pip`` will be updated in CPython
|
|
maintenance releases, which should align well with the 6-month cycle used
|
|
for new ``pip`` releases.
|
|
|
|
|
|
Security considerations
|
|
-----------------------
|
|
|
|
The design in this PEP has been deliberately chosen to avoid making any
|
|
significant changes to the trust model of CPython for end users that do
|
|
not subsequently run the command ``pip install --upgrade pip``.
|
|
|
|
The installers will contain all the components of a fully functioning
|
|
version of Python, including the ``pip`` installer. The installation
|
|
process will *not* require network access, and will *not* rely on
|
|
trusting the security of the network connection established between
|
|
``pip`` and the Python package index.
|
|
|
|
Only users that choose to use ``pip`` to communicate with PyPI will
|
|
need to pay attention to the additional security considerations that come
|
|
with doing so.
|
|
|
|
However, the core CPython team will still assist with reviewing and
|
|
resolving at least the `certificate update management issue
|
|
<https://github.com/kennethreitz/requests/issues/1659>`__ currently
|
|
affecting the ``requests`` project (and hence ``pip``), and may also be
|
|
able to offer assistance in resolving other identified security concerns
|
|
[#cert-verification]_.
|
|
|
|
|
|
Reliability considerations
|
|
--------------------------
|
|
|
|
By including the bootstrap as part of the standard library (rather than
|
|
solely as a feature of the binary installers), the correct operation of
|
|
the bootstrap command can be easily tested using the existing CPython
|
|
buildbot infrastructure rather than adding significantly to the testing
|
|
burden for the installers themselves.
|
|
|
|
|
|
Implementation strategy
|
|
-----------------------
|
|
|
|
To ensure there is no need for network access when installing Python or
|
|
creating virtual environments, the ``ensurepip`` module will, as an
|
|
implementation detail, include a complete private copy of pip and its
|
|
dependencies which will be used to extract pip and install it into the target
|
|
environment. It is important to stress that this private copy of pip is
|
|
*only* an implementation detail and it should *not* be relied on or
|
|
assumed to exist beyond the public capabilities exposed through the
|
|
``ensurepip`` module (and indirectly through ``venv``).
|
|
|
|
There is not yet a reference ``ensurepip`` implementation. The existing
|
|
``get-pip.py`` bootstrap script demonstrates an earlier variation of the
|
|
general concept, but the standard library version would take advantage of
|
|
the improved distribution capabilities offered by the CPython installers
|
|
to include private copies of ``pip`` and ``setuptools`` as wheel files
|
|
(rather than as embedded base64 encoded data), and would not try to
|
|
contact PyPI (instead installing directly from the private wheel files).
|
|
|
|
Rather than including separate code to handle the bootstrapping, the
|
|
``ensurepip`` module will manipulate ``sys.path`` appropriately to allow
|
|
the wheel files to be used to install themselves, either into the current
|
|
Python installation or into a virtual environment (as determined by the
|
|
options passed to the bootstrap command).
|
|
|
|
It is proposed that the implementation be carried out in five separate
|
|
steps (all steps after the first two are independent of each other and
|
|
can be carried out in any order):
|
|
|
|
* the first step would update the "Installing Python Modules" documentation
|
|
to recommend the use of ``pip`` and reference the ``pip`` team's
|
|
instructions for downloading and installing it. This change would be
|
|
applied to Python 2.7, 3.3, and 3.4.
|
|
* the ``ensurepip`` module and the private copies of the most recently
|
|
released versions of pip and setuptools would be added to Python 3.4
|
|
and the 3.4 "Installing Python Modules" documentation updated accordingly.
|
|
* the CPython Windows installer would be updated to offer the new ``pip``
|
|
installation option for Python 3.4.
|
|
* the CPython Mac OS X installer would be updated to offer the new ``pip``
|
|
installation option for Python 3.4.
|
|
* the ``venv`` module and ``pyvenv`` command would be updated to make use
|
|
of ``ensurepip`` in Python 3.4
|
|
* the PATH handling on Windows would be updated for Python 3.4+
|
|
|
|
|
|
Integration timeline
|
|
--------------------
|
|
|
|
If this PEP is accepted, the proposed time frame for integration of ``pip``
|
|
into the CPython release is as follows:
|
|
|
|
* as soon as possible after the release of 3.4.0 alpha 4
|
|
|
|
* Documentation updated and ``ensurepip`` implemented based on a
|
|
pre-release version of ``pip`` 1.5.
|
|
|
|
* All other proposed functional changes for Python 3.4 implemented,
|
|
including the installer updates to invoke ``ensurepip``.
|
|
|
|
* by November 20th (3 days prior to the scheduled date of 3.4.0 beta 1)
|
|
|
|
* ``ensurepip`` updated to use a ``pip`` 1.5 release candidate.
|
|
|
|
* :pep:`101` updated to cover ensuring the bundled version of ``pip`` is up
|
|
to date.
|
|
|
|
* by November 24th (scheduled date of 3.4.0 beta 1)
|
|
|
|
* As with any other new feature, all proposed functional changes for
|
|
Python 3.4 must be implemented prior to the beta feature freeze.
|
|
|
|
* by December 29th (1 week prior to the scheduled date of 3.4.0 beta 2)
|
|
|
|
* ``requests`` certificate management issue resolved
|
|
* ``ensurepip`` updated to the final release of ``pip`` 1.5, or a
|
|
subsequent maintenance release (including a suitably updated vendored
|
|
copy of ``requests``)
|
|
|
|
(See :pep:`429` for the current official scheduled dates of each release. Dates
|
|
listed above are accurate as of October 20th, 2013.)
|
|
|
|
If there is no final or maintenance release of ``pip`` 1.5 with a suitable
|
|
updated version of ``requests`` available by one week before the scheduled
|
|
Python 3.4 beta 2 release, then implementation of this PEP will
|
|
be deferred to Python 3.5. Note that this scenario is considered unlikely -
|
|
the tentative date for the ``pip`` 1.5 release is currently December 1st.
|
|
|
|
In future CPython releases, this kind of coordinated scheduling shouldn't be
|
|
needed: the CPython release manager will be able to just update to the latest
|
|
released version of ``pip``. However, in this case, some fixes are needed in
|
|
``pip`` in order to allow the bundling to work correctly, and the
|
|
certificate update mechanism for ``requests`` needs to be improved, so the
|
|
``pip`` 1.5 release cycle needs to be properly aligned with the CPython 3.4
|
|
beta releases.
|
|
|
|
|
|
Proposed CLI
|
|
------------
|
|
|
|
The proposed CLI is based on a subset of the existing ``pip install``
|
|
options::
|
|
|
|
Usage:
|
|
python -m ensurepip [options]
|
|
|
|
General Options:
|
|
-h, --help Show help.
|
|
-v, --verbose Give more output. Option is additive, and can be used up to 3 times.
|
|
-V, --version Show the pip version that would be extracted and exit.
|
|
-q, --quiet Give less output.
|
|
|
|
Installation Options:
|
|
-U, --upgrade Upgrade pip and dependencies, even if already installed
|
|
--user Install using the user scheme.
|
|
--root <dir> Install everything relative to this alternate root directory.
|
|
|
|
In most cases, end users won't need to use this CLI directly, as ``pip``
|
|
should have been installed automatically when installing Python or when
|
|
creating a virtual environment. However, it is formally documented as a
|
|
public interface to support at least these known use cases:
|
|
|
|
* Windows and Mac OS X installations where the "Install pip" option was
|
|
*not* chosen during installation
|
|
* any installation where the user previously ran "pip uninstall pip"
|
|
|
|
Users that want to retrieve the latest version from PyPI, or otherwise
|
|
need more flexibility, can then invoke the extracted ``pip`` appropriately.
|
|
|
|
|
|
Proposed module API
|
|
-------------------
|
|
|
|
The proposed ``ensurepip`` module API consists of the following two
|
|
functions::
|
|
|
|
def version():
|
|
"""
|
|
Returns a string specifying the bundled version of pip.
|
|
"""
|
|
|
|
def bootstrap(root=None, upgrade=False, user=False, verbosity=0):
|
|
"""
|
|
Bootstrap pip into the current Python installation (or the given root
|
|
directory).
|
|
"""
|
|
|
|
|
|
Invocation from the CPython installers
|
|
--------------------------------------
|
|
|
|
The CPython Windows and Mac OS X installers will each gain a new option:
|
|
|
|
* Install pip (the default Python package management utility)?
|
|
|
|
This option will be checked by default.
|
|
|
|
If the option is checked, then the installer will invoke the following
|
|
command with the just installed Python::
|
|
|
|
python -m ensurepip --upgrade
|
|
|
|
This ensures that, by default, installing or updating CPython will ensure
|
|
that the installed version of pip is at least as recent as the one included
|
|
with that version of CPython. If a newer version of pip has already been
|
|
installed then ``python -m ensurepip --upgrade`` will simply return without
|
|
doing anything.
|
|
|
|
|
|
Installing from source
|
|
----------------------
|
|
|
|
Just as the prebuilt binary installers will be updated to run
|
|
``python -m ensurepip`` by default, a similar change will be made to the
|
|
``make install`` and ``make altinstall`` commands of the source
|
|
distribution. The directory settings in the ``sysconfig`` module should
|
|
ensure the ``pip`` components are automatically installed to the expected
|
|
locations.
|
|
|
|
``ensurepip`` itself (including the private copy of ``pip`` and its
|
|
dependencies) will always be installed normally (as it is a regular
|
|
part of the standard library), but an option will be provided to skip
|
|
the invocation of ``ensurepip``.
|
|
|
|
This means that even installing from source will provide ``pip`` by default,
|
|
but redistributors provide ``pip`` by other means (or not providing it at
|
|
all) will still be able to opt out of installing it using ``ensurepip``.
|
|
|
|
|
|
Changes to virtual environments
|
|
-------------------------------
|
|
|
|
Python 3.3 included a standard library approach to virtual Python environments
|
|
through the ``venv`` module. Since its release it has become clear that very
|
|
few users have been willing to use this feature directly, in part due to the
|
|
lack of an installer present by default inside of the virtual environment.
|
|
They have instead opted to continue using the ``virtualenv`` package which
|
|
*does* include pip installed by default.
|
|
|
|
To make the ``venv`` more useful to users it will be modified to issue the
|
|
pip bootstrap by default inside of the new environment while creating it. This
|
|
will allow people the same convenience inside of the virtual environment as
|
|
this PEP provides outside of it as well as bringing the ``venv`` module closer
|
|
to feature parity with the external ``virtualenv`` package, making it a more
|
|
suitable replacement.
|
|
|
|
To handle cases where a user does not wish to have pip bootstrapped into
|
|
their virtual environment a ``--without-pip`` option will be
|
|
added.
|
|
|
|
The ``venv.EnvBuilder`` and ``venv.create`` APIs will be updated to accept
|
|
one new parameter: ``with_pip`` (defaulting to ``False``).
|
|
|
|
The new default for the module API is chosen for backwards compatibility
|
|
with the current behaviour (as it is assumed that most invocation of the
|
|
``venv`` module happens through third part tools that likely will not
|
|
want ``pip`` installed without explicitly requesting it), while the
|
|
default for the command line interface is chosen to try to ensure ``pip``
|
|
is available in most virtual environments without additional action on the
|
|
part of the end user.
|
|
|
|
As this change will only benefit Python 3.4 and later versions, the
|
|
third-party ``virtualenv`` project will still be needed to obtain a
|
|
consistent cross-version experience in Python 3.3 and 2.7.
|
|
|
|
|
|
Documentation
|
|
-------------
|
|
|
|
The "Installing Python Modules" section of the standard library
|
|
documentation in Python 2.7, 3.3 and 3.4 will be updated to recommend
|
|
the use of the ``pip`` installer, either provided by default in Python 3.4
|
|
or retrieved and installed by the user in Python 2.7 or 3.3. It will give
|
|
a brief description of the most common commands and options, but delegate
|
|
to the externally maintained ``pip`` documentation for the full details.
|
|
|
|
In Python 3.4, the ``pyvenv`` and ``venv`` documentation will also be
|
|
updated to reference the revised module installation guide.
|
|
|
|
The existing content of the module installation guide will be retained in
|
|
all versions, but under a new "Invoking distutils directly" subsection.
|
|
|
|
|
|
Bundling CA certificates with CPython
|
|
-------------------------------------
|
|
|
|
The ``ensurepip`` implementation will include the ``pip`` CA bundle along
|
|
with the rest of ``pip``. This means CPython effectively includes
|
|
a CA bundle that is used solely by ``pip`` after it has been extracted.
|
|
|
|
This is considered preferable to relying solely on the system
|
|
certificate stores, as it ensures that ``pip`` will behave the same
|
|
across all supported versions of Python, even those prior to Python 3.4
|
|
that cannot access the system certificate store on Windows.
|
|
|
|
|
|
Automatic installation of setuptools
|
|
------------------------------------
|
|
|
|
``pip`` currently depends on ``setuptools`` to handle metadata generation
|
|
during the build process, along with some other features. While work is
|
|
ongoing to reduce or eliminate this dependency, it is not clear if that
|
|
work will be complete for pip 1.5 (which is the version likely to be current
|
|
when Python 3.4.0 is released).
|
|
|
|
This PEP proposes that, if pip still requires it as a dependency,
|
|
``ensurepip`` will include a private copy of ``setuptools`` (in addition
|
|
to the private copy of ``ensurepip``). ``python -m ensurepip`` will then
|
|
install the private copy in addition to installing ``pip`` itself.
|
|
|
|
However, this behavior is officially considered an implementation
|
|
detail. Other projects which explicitly require ``setuptools`` must still
|
|
provide an appropriate dependency declaration, rather than assuming
|
|
``setuptools`` will always be installed alongside ``pip``.
|
|
|
|
The private copy of ``setuptools`` will be removed from ``ensurepip``
|
|
once it is no longer needed. This is likely to be at the point when
|
|
``get-pip.py`` stops installing ``setuptools`` by default.
|
|
As long as setuptools is needed, it will be a completely unmodified copy of
|
|
the latest upstream setuptools release, including the ``easy_install``
|
|
script if the upstream setuptools continues to include it. The installation
|
|
of ``easy_install`` along with ``pip`` isn't considered desirable, but
|
|
installing a broken setuptools would be worse. This problem will
|
|
naturally resolve itself once the ``pip`` developers have managed to
|
|
eliminate their dependency on ``setuptools`` and the private copy of
|
|
``setuptools`` can be removed entirely from CPython.
|
|
|
|
|
|
Updating the private copy of pip
|
|
--------------------------------
|
|
|
|
In order to keep up with evolutions in packaging as well as providing users
|
|
with as recent version a possible the ``ensurepip`` module will be
|
|
regularly updated to the latest versions of everything it bootstraps.
|
|
|
|
After each new ``pip`` release, and again during the preparation for any
|
|
release of Python (including feature releases), a script, provided as part
|
|
of the implementation for this PEP, will be run to ensure the private
|
|
copies stored in the CPython source repository have been updated to the
|
|
latest versions.
|
|
|
|
|
|
Updating the ensurepip module API and CLI
|
|
-----------------------------------------
|
|
|
|
Like ``venv`` and ``pyvenv``, the ``ensurepip`` module API and CLI
|
|
will be governed by the normal rules for the standard library: no
|
|
new features are permitted in maintenance releases.
|
|
|
|
However, the embedded components may be updated as noted above, so
|
|
the extracted ``pip`` may offer additional functionality in maintenance
|
|
releases.
|
|
|
|
|
|
Uninstallation
|
|
==============
|
|
|
|
No changes are proposed to the CPython uninstallation process by this PEP.
|
|
The bootstrapped pip will be installed the same way as any other pip
|
|
installed packages, and will be handled in the same way as any other
|
|
post-install additions to the Python environment.
|
|
|
|
At least on Windows, that means the bootstrapped files will be
|
|
left behind after uninstallation, since those files won't be associated
|
|
with the Python MSI installer.
|
|
|
|
While the case can be made for the CPython installers clearing out these
|
|
directories automatically, changing that behaviour is considered outside
|
|
the scope of this PEP.
|
|
|
|
|
|
Script Execution on Windows
|
|
===========================
|
|
|
|
While the Windows installer was updated in Python 3.3 to optionally
|
|
make ``python`` available on the PATH, no such change was made to
|
|
include the script installation directory returned by
|
|
``sysconfig.get_path("scripts")``.
|
|
|
|
Accordingly, in addition to adding the option to extract and install ``pip``
|
|
during installation, this PEP proposes that the Windows installer in
|
|
Python 3.4 and later be updated to also add the path returned by
|
|
``sysconfig.get_path("scripts")`` to the Windows PATH when the PATH
|
|
modification option is enabled during installation
|
|
|
|
Note that this change will only be available in Python 3.4 and later.
|
|
|
|
This means that, for Python 3.3, the most reliable way to invoke pip globally
|
|
on Windows (without tinkering manually with PATH) will still remain
|
|
``py -m pip`` (or ``py -3 -m pip`` to select the Python 3 version if both
|
|
Python 2 and 3 are installed) rather than simply calling ``pip``. This
|
|
works because Python 3.3 provides the Python Launcher for
|
|
Windows (and the associated ``py`` command) by default.
|
|
|
|
For Python 2.7 and 3.2, the most reliable mechanism will be to install the
|
|
Python Launcher for Windows using the standalone installer and then use
|
|
``py -m pip`` as noted above.
|
|
|
|
Adding the scripts directory to the system PATH will mean that ``pip``
|
|
works reliably in the "only one Python installation on the system PATH"
|
|
case, with ``py -m pip``, ``pipX``, or ``pipX.Y`` needed only to select a
|
|
non-default version in the parallel installation case (and outside a virtual
|
|
environment). This change should also make the ``pyvenv`` command substantially
|
|
easier to invoke on Windows, along with all scripts installed by ``pip``,
|
|
``easy_install`` and similar tools.
|
|
|
|
While the script invocations on recent versions of Python will run through
|
|
the Python launcher for Windows, this shouldn't cause any issues, as long
|
|
as the Python files in the Scripts directory correctly specify a Python version
|
|
in their shebang line or have an adjacent Windows executable (as
|
|
``easy_install`` and ``pip`` do).
|
|
|
|
|
|
Recommendations for Downstream Distributors
|
|
===========================================
|
|
|
|
A common source of Python installations are through downstream distributors
|
|
such as the various Linux Distributions [#ubuntu]_ [#debian]_ [#fedora]_, OSX
|
|
package managers [#homebrew]_ [#macports]_ [#fink]_, and commercial Python
|
|
redistributors [#ContinuumIO]_ [#ActiveState]_ [#Enthought]_. In order to
|
|
provide a consistent, user-friendly experience to all users of Python
|
|
regardless of how they obtained Python this PEP recommends and asks that
|
|
downstream distributors:
|
|
|
|
* Ensure that whenever Python is installed ``pip`` is either installed or is
|
|
otherwise made readily available to end users.
|
|
|
|
* For redistributors using binary installers, this may take the form of
|
|
optionally executing the ``ensurepip`` bootstrap during installation,
|
|
similar to the CPython installers.
|
|
* For redistributors using package management systems, it may take the
|
|
form of separate packages with dependencies on each other so that
|
|
installing the Python package installs the pip package and installing
|
|
the pip package installs the Python package.
|
|
* Another reasonable way to implement this is to package pip separately but
|
|
ensure that there is some sort of global hook that will recommend
|
|
installing the separate pip package when a user executes ``pip`` without
|
|
it being installed. Systems that choose this option should ensure that
|
|
the ``ensurepip`` module still installs pip directly when invoked inside
|
|
a virtual environment, but may modify the module in the system Python
|
|
installation to redirect to the platform provided mechanism when
|
|
installing ``pip`` globally.
|
|
|
|
* Even if pip is made available globally by other means, do not remove the
|
|
``ensurepip`` module in Python 3.4 or later.
|
|
|
|
* ``ensurepip`` will be required for automatic installation of pip into
|
|
virtual environments by the ``venv`` module.
|
|
* This is similar to the existing ``virtualenv`` package for which many
|
|
downstream distributors have already made exception to the common
|
|
"debundling" policy.
|
|
* This does mean that if ``pip`` needs to be updated due to a security
|
|
issue, so does the private copy in the ``ensurepip`` bootstrap module
|
|
* However, altering the private copy of pip to remove the embedded
|
|
CA certificate bundle and rely on the system CA bundle instead is a
|
|
reasonable change.
|
|
|
|
* Ensure that all features of this PEP continue to work with any modifications
|
|
made to the redistributed version of Python.
|
|
|
|
* Checking the version of pip that will be bootstrapped using
|
|
``python -m ensurepip --version`` or ``ensurepip.version()``.
|
|
* Installation of pip into a global or virtual python environment using
|
|
``python -m ensurepip`` or ``ensurepip.bootstrap()``.
|
|
* ``pip install --upgrade pip`` in a global installation should not affect
|
|
any already created virtual environments (but is permitted to affect
|
|
future virtual environments, even though it will not do so when using
|
|
the standard implementation of ``ensurepip``).
|
|
* ``pip install --upgrade pip`` in a virtual environment should not affect
|
|
the global installation.
|
|
|
|
* Migrate build systems to utilize `pip`_ and :pep:`Wheel <427>`
|
|
wherever feasible
|
|
and avoid directly invoking ``setup.py``.
|
|
|
|
* This will help ensure a smoother and more timely migration to improved
|
|
metadata formats as the Python packaging ecosystem continues to evolve.
|
|
|
|
In the event that a Python redistributor chooses *not* to follow these
|
|
recommendations, we request that they explicitly document this fact and
|
|
provide their users with suitable guidance on translating upstream ``pip``
|
|
based installation instructions into something appropriate for the platform.
|
|
|
|
Other Python implementations are also encouraged to follow these guidelines
|
|
where applicable.
|
|
|
|
|
|
Policies & Governance
|
|
=====================
|
|
|
|
The maintainers of the bootstrapped software and the CPython core team will
|
|
work together in order to address the needs of both. The bootstrapped
|
|
software will still remain external to CPython and this PEP does not
|
|
include CPython subsuming the development responsibilities or design
|
|
decisions of the bootstrapped software. This PEP aims to decrease the
|
|
burden on end users wanting to use third-party packages and the
|
|
decisions inside it are pragmatic ones that represent the trust that the
|
|
Python community has already placed in the Python Packaging Authority as
|
|
the authors and maintainers of ``pip``, ``setuptools``, PyPI, ``virtualenv``
|
|
and other related projects.
|
|
|
|
|
|
Backwards Compatibility
|
|
-----------------------
|
|
|
|
The public API and CLI of the ``ensurepip`` module itself will fall under
|
|
the typical backwards compatibility policy of Python for its standard
|
|
library. The externally developed software that this PEP bundles does not.
|
|
|
|
Most importantly, this means that the bootstrapped version of pip may gain
|
|
new features in CPython maintenance releases, and pip continues to operate on
|
|
its own 6 month release cycle rather than CPython's 18-24 month cycle.
|
|
|
|
|
|
Security Releases
|
|
-----------------
|
|
|
|
Any security update that affects the ``ensurepip`` module will be shared
|
|
prior to release with the Python Security Response Team
|
|
(security@python.org). The PSRT will then decide if the reported issue
|
|
warrants a security release of CPython with an updated private copy of
|
|
``pip``.
|
|
|
|
|
|
Licensing
|
|
---------
|
|
|
|
``pip`` is currently licensed as 1 Clause BSD, and it contains code taken
|
|
from other projects. Additionally this PEP will include setuptools until
|
|
such time as pip no longer requires it. The licenses for these appear in
|
|
the table below.
|
|
|
|
================= ============
|
|
Project License
|
|
================= ============
|
|
requests Apache 2.0
|
|
six 1 Clause BSD
|
|
html5lib 1 Clause BSD
|
|
distlib PSF
|
|
colorama 3 Clause BSD
|
|
Mozilla CA Bundle LGPL
|
|
setuptools PSF
|
|
================= ============
|
|
|
|
All of these licenses should be compatible with the PSF license. Additionally
|
|
it is unclear if a CA Bundle is copyrightable material and thus if it needs
|
|
or can be licensed at all.
|
|
|
|
|
|
Appendix: Rejected Proposals
|
|
============================
|
|
|
|
|
|
Changing the name of the scripts directory on Windows
|
|
-----------------------------------------------------
|
|
|
|
Earlier versions of this PEP proposed changing the name of the script
|
|
installation directory on Windows from "Scripts" to "bin" in order to
|
|
improve the cross-platform consistency of the virtual environments created
|
|
by ``pyvenv``.
|
|
|
|
However, Paul Moore determined that this change was likely backwards
|
|
incompatible with cross-version Windows installers created with previous
|
|
versions of Python, so the change has been removed from this PEP
|
|
[#windows-incompatibility]_.
|
|
|
|
|
|
Including ensurepip in Python 2.7, and 3.3
|
|
------------------------------------------
|
|
|
|
Earlier versions of this PEP made the case that the challenges of getting
|
|
``pip`` bootstrapped for new users posed a significant enough barrier to
|
|
Python's future growth that it justified adding ``ensurepip`` as a new
|
|
feature in the upcoming Python 2.7 and 3.3 maintenance releases.
|
|
|
|
While the proposal to provide ``pip`` with Python 3.4 was universally
|
|
popular, this part of the proposal was highly controversial and ultimately
|
|
`rejected by MvL as BDFL-Delegate
|
|
<https://mail.python.org/pipermail/python-dev/2013-September/129091.html>`__.
|
|
|
|
Accordingly, the proposal to backport ``ensurepip`` to Python 2.7 and 3.3
|
|
has been removed from this PEP in favour of creating a Windows installer
|
|
for ``pip`` and a possible future PEP suggesting creation of an aggregate
|
|
installer for Python 2.7 that combines CPython 2.7, ``pip`` and the Python
|
|
Launcher for Windows.
|
|
|
|
|
|
Automatically contacting PyPI when bootstrapping pip
|
|
----------------------------------------------------
|
|
|
|
Earlier versions of this PEP called the bootstrapping module ``getpip`` and
|
|
defaulted to downloading and installing ``pip`` from PyPI, with the private
|
|
copy used only as a fallback option or when explicitly requested.
|
|
|
|
This resulted in several complex edge cases, along with difficulties in
|
|
defining a clean API and CLI for the bootstrap module. It also significantly
|
|
altered the default trust model for the binary installers published on
|
|
python.org, as end users would need to explicitly *opt-out* of trusting
|
|
the security of the PyPI ecosystem (rather than opting in to it by
|
|
explicitly invoking ``pip`` following installation).
|
|
|
|
As a result, the PEP was simplified to the current design, where the
|
|
bootstrapping *always* uses the private copy of ``pip``. Contacting PyPI
|
|
is now always an explicit separate step, with direct access to the full
|
|
pip interface.
|
|
|
|
Removing the implicit attempt to access PyPI also made it feasible to
|
|
invoke ``ensurepip`` by default when installing from a custom source build.
|
|
|
|
|
|
Implicit bootstrap
|
|
------------------
|
|
|
|
:pep:`439`, the predecessor for this PEP, proposes its own solution. Its
|
|
solution involves shipping a fake ``pip`` command that when executed would
|
|
implicitly bootstrap and install pip if it does not already exist. This has
|
|
been rejected because it is too "magical". It hides from the end user when
|
|
exactly the pip command will be installed or that it is being installed at
|
|
all. It also does not provide any recommendations or considerations towards
|
|
downstream packagers who wish to manage the globally installed pip through
|
|
the mechanisms typical for their system.
|
|
|
|
The implicit bootstrap mechanism also ran into possible permissions issues,
|
|
if a user inadvertently attempted to bootstrap pip without write access to
|
|
the appropriate installation directories.
|
|
|
|
|
|
Including pip directly in the standard library
|
|
----------------------------------------------
|
|
|
|
Similar to this PEP is the proposal of just including pip in the standard
|
|
library. This would ensure that Python always includes pip and fixes all of the
|
|
end user facing problems with not having pip present by default. This has been
|
|
rejected because we've learned, through the inclusion and history of
|
|
``distutils`` in the standard library, that losing the ability to update the
|
|
packaging tools independently can leave the tooling in a state of constant
|
|
limbo. Making it unable to ever reasonably evolve in a time frame that actually
|
|
affects users as any new features will not be available to the general
|
|
population for *years*.
|
|
|
|
Allowing the packaging tools to progress separately from the Python release
|
|
and adoption schedules allows the improvements to be used by *all* members
|
|
of the Python community and not just those able to live on the bleeding edge
|
|
of Python releases.
|
|
|
|
There have also been issues in the past with the "dual maintenance" problem
|
|
if a project continues to be maintained externally while *also* having a
|
|
fork maintained in the standard library. Since external maintenance of
|
|
``pip`` will always be needed to support earlier Python versions, the
|
|
proposed bootstrapping mechanism will becoming the explicit responsibility
|
|
of the CPython core developers (assisted by the pip developers), while
|
|
pip issues reported to the CPython tracker will be migrated to the pip
|
|
issue tracker. There will no doubt still be some user confusion over which
|
|
tracker to use, but hopefully less than has been seen historically when
|
|
including complete public copies of third-party projects in the standard
|
|
library.
|
|
|
|
The approach described in this PEP also avoids some technical issues
|
|
related to handling CPython maintenance updates when pip has been
|
|
independently updated to a more recent version. The proposed pip-based
|
|
bootstrapping mechanism handles that automatically, since pip and the
|
|
system installer never get into a fight about who owns the pip
|
|
installation (it is always managed through pip, either directly, or
|
|
indirectly via the ``ensurepip`` bootstrap module).
|
|
|
|
Finally, the separate bootstrapping step means it is also easy to avoid
|
|
installing ``pip`` at all if end users so desire. This is often the case
|
|
if integrators are using system packages to handle installation of
|
|
components written in multiple languages using a common set of tools.
|
|
|
|
|
|
Defaulting to --user installation
|
|
---------------------------------
|
|
|
|
Some consideration was given to bootstrapping pip into the per-user
|
|
site-packages directory by default. However, this behavior would be
|
|
surprising (as it differs from the default behavior of pip itself)
|
|
and is also not currently considered reliable (there are some edge cases
|
|
which are not handled correctly when pip is installed into the user
|
|
site-packages directory rather than the system site-packages).
|
|
|
|
|
|
.. _pip: http://www.pip-installer.org
|
|
.. _setuptools: https://pypi.python.org/pypi/setuptools
|
|
|
|
|
|
References
|
|
==========
|
|
|
|
* `Discussion thread 1 (distutils-sig)
|
|
<https://mail.python.org/pipermail/distutils-sig/2013-August/022529.html>`_
|
|
|
|
* `Discussion thread 2 (distutils-sig)
|
|
<https://mail.python.org/pipermail/distutils-sig/2013-September/022702.html>`_
|
|
|
|
* `Discussion thread 3 (python-dev)
|
|
<https://mail.python.org/pipermail/python-dev/2013-September/128723.html>`_
|
|
|
|
* `Discussion thread 4 (python-dev)
|
|
<https://mail.python.org/pipermail/python-dev/2013-September/128780.html>`_
|
|
|
|
* `Discussion thread 5 (python-dev)
|
|
<https://mail.python.org/pipermail/python-dev/2013-September/128894.html>`_
|
|
|
|
.. [#cert-verification] `pip/requests certificate management concerns
|
|
<https://mail.python.org/pipermail/python-dev/2013-October/129755.html>`_
|
|
|
|
.. [#windows-incompatibility] `Windows installer compatibility concerns
|
|
<https://mail.python.org/pipermail/distutils-sig/2013-October/022855.html>`_
|
|
|
|
.. [#ubuntu] `Ubuntu <http://www.ubuntu.com/>`__
|
|
.. [#debian] `Debian <http://www.debian.org>`__
|
|
.. [#fedora] `Fedora <https://fedoraproject.org/>`__
|
|
.. [#homebrew] `Homebrew <https://brew.sh/>`__
|
|
.. [#macports] `MacPorts <https://macports.org>`__
|
|
.. [#fink] `Fink <https://finkproject.org>`__
|
|
.. [#ContinuumIO] `Anaconda <https://www.anaconda.com/products/distribution>`__
|
|
.. [#ActiveState] `ActivePython <http://www.activestate.com/activepython>`__
|
|
.. [#Enthought] `Enthought Canopy <https://www.enthought.com/products/canopy/>`__
|
|
|
|
Copyright
|
|
=========
|
|
|
|
This document has been placed in the public domain.
|