PEP: 439 Title: Inclusion of implicit pip bootstrap in Python
installation Version: $Revision$ Last-Modified: $Date$ Author: Richard
Jones <richard@python.org> BDFL-Delegate: Alyssa Coghlan
<ncoghlan@gmail.com> Discussions-To: distutils-sig@python.org Status:
Rejected Type: Standards Track Topic: Packaging Content-Type: text/x-rst
Created: 18-Mar-2013 Python-Version: 3.4 Post-History: 19-Mar-2013
Resolution:
https://mail.python.org/pipermail/distutils-sig/2013-August/022527.html

Abstract

This PEP proposes the inclusion of a pip bootstrap executable in the
Python installation to simplify the use of 3rd-party modules by Python
users.

This PEP does not propose to include the pip implementation in the
Python standard library. Nor does it propose to implement any package
management or installation mechanisms beyond those provided by PEP 427
("The Wheel Binary Package Format 1.0") and TODO distlib PEP.

PEP Rejection

This PEP has been rejected in favour of a more explicit mechanism that
should achieve the same end result in a more reliable fashion. The more
explicit bootstrapping mechanism is described in PEP 453.

Rationale

Currently the user story for installing 3rd-party Python modules is not
as simple as it could be. It requires that all 3rd-party modules inform
the user of how to install the installer, typically via a link to the
installer. That link may be out of date or the steps required to perform
the install of the installer may be enough of a roadblock to prevent the
user from further progress.

Large Python projects which emphasise a low barrier to entry have shied
away from depending on third party packages because of the introduction
of this potential stumbling block for new users.

With the inclusion of the package installer command in the standard
Python installation the barrier to installing additional software is
considerably reduced. It is hoped that this will therefore increase the
likelihood that Python projects will reuse third party software.

The Python community also has an issue of complexity around the current
bootstrap procedure for pip and setuptools. They all have their own
bootstrap download file with slightly different usages and even refer to
each other in some cases. Having a single bootstrap which is common
amongst them all, with a simple usage, would be far preferable.

It is also hoped that this is reduces the number of proposals to include
more and more software in the Python standard library, and therefore
that more popular Python software is more easily upgradeable beyond
requiring Python installation upgrades.

Proposal

The bootstrap will install the pip implementation, setuptools by
downloading their installation files from PyPI.

This proposal affects two components of packaging: the pip bootstrap
and, thanks to easier package installation, modifications to publishing
packages.

The core of this proposal is that the user experience of using pip
should not require the user to install pip.

The pip bootstrap

The Python installation includes an executable called "pip3" (see PEP
394 for naming rationale etc.) that attempts to import pip machinery. If
it can then the pip command proceeds as normal. If it cannot it will
bootstrap pip by downloading the pip implementation and setuptools wheel
files. Hereafter the installation of the "pip implementation" will imply
installation of setuptools and virtualenv. Once installed, the pip
command proceeds as normal. Once the bootstrap process is complete the
"pip3" command is no longer the bootstrap but rather the full pip
command.

A bootstrap is used in the place of a the full pip code so that we don't
have to bundle pip and also pip is upgradeable outside of the regular
Python upgrade timeframe and processes.

To avoid issues with sudo we will have the bootstrap default to
installing the pip implementation to the per-user site-packages
directory defined in PEP 370 and implemented in Python 2.6/3.0. Since we
avoid installing to the system Python we also avoid conflicting with any
other packaging system (on Linux systems, for example.) If the user is
inside a PEP 405 virtual environment then the pip implementation will be
installed into that virtual environment.

The bootstrap process will proceed as follows:

1.  The user system has Python (3.4+) installed. In the "scripts"
    directory of the Python installation there is the bootstrap script
    called "pip3".
2.  The user will invoke a pip command, typically "pip3 install
    <package>", for example "pip3 install Django".
3.  The bootstrap script will attempt to import the pip implementation.
    If this succeeds, the pip command is processed normally. Stop.
4.  On failing to import the pip implementation the bootstrap notifies
    the user that it needs to "install pip". It will ask the user
    whether it should install pip as a system-wide site-packages or as a
    user-only package. This choice will also be present as a
    command-line option to pip so non-interactive use is possible.
5.  The bootstrap will and contact PyPI to obtain the latest download
    wheel file (see PEP 427.)
6.  Upon downloading the file it is installed using "python setup.py
    install".
7.  The pip tool may now import the pip implementation and continues to
    process the requested user command normally.

Users may be running in an environment which cannot access the public
Internet and are relying solely on a local package repository. They
would use the "-i" (Base URL of Python Package Index) argument to the
"pip3 install" command. This simply overrides the default index URL
pointing to PyPI.

Some users may have no Internet access suitable for fetching the pip
implementation file. These users can manually download and install the
setuptools and pip tar files. Adding specific support for this use-case
is unnecessary.

The download of the pip implementation install file will be performed
securely. The transport from pypi.python.org will be done over HTTPS
with the CA certificate check performed. This facility will be present
in Python 3.4+ using Operating System certificates (see PEP XXXX).

Beyond those arguments controlling index location and download options,
the "pip3" bootstrap command may support further standard pip options
for verbosity, quietness and logging.

The "pip3" command will support two new command-line options that are
used in the bootstrapping, and otherwise ignored. They control where the
pip implementation is installed:

--bootstrap

    Install to the user's packages directory. The name of this option is
    chosen to promote it as the preferred installation option.

--bootstrap-to-system

    Install to the system site-packages directory.

These command-line options will also need to be implemented, but
otherwise ignored, in the pip implementation.

Consideration should be given to defaulting pip to install packages to
the user's packages directory if pip is installed in that location.

The "--no-install" option to the "pip3" command will not affect the
bootstrapping process.

Modifications to publishing packages

An additional new Python package is proposed, "pypublish", which will be
a tool for publishing packages to PyPI. It would replace the current
"python setup.py register" and "python setup.py upload" distutils
commands. Again because of the measured Python release cycle and
extensive existing Python installations these commands are difficult to
bugfix and extend. Additionally it is desired that the "register" and
"upload" commands be able to be performed over HTTPS with certificate
validation. Since shipping CA certificate keychains with Python is not
really feasible (updating the keychain is quite difficult to manage) it
is desirable that those commands, and the accompanying keychain, be made
installable and upgradeable outside of Python itself.

The existing distutils mechanisms for package registration and upload
would remain, though with a deprecation warning.

Implementation

The changes to pip required by this PEP are being tracked in that
project's issue tracker[1]. Most notably, the addition of --bootstrap
and --bootstrap-to-system to the pip command-line.

It would be preferable that the pip and setuptools projects distribute a
wheel format download.

The required code for this implementation is the "pip3" command
described above. The additional pypublish can be developed outside of
the scope of this PEP's work.

Finally, it would be desirable that "pip3" be ported to Python 2.6+ to
allow the single command to replace existing pip, setuptools and
virtualenv (which would be added to the bootstrap) bootstrap scripts.
Having that bootstrap included in a future Python 2.7 release would also
be highly desirable.

Risks

The key that is used to sign the pip implementation download might be
compromised and this PEP currently proposes no mechanism for key
revocation.

There is a Perl package installer also named "pip". It is quite rare and
not commonly used. The Fedora variant of Linux has historically named
Python's "pip" as "python-pip" and Perl's "pip" as "perl-pip". This
policy has been altered[2] so that future and upgraded Fedora
installations will use the name "pip" for Python's "pip". Existing
(non-upgraded) installations will still have the old name for the Python
"pip", though the potential for confusion is now much reduced.

References

Acknowledgments

Alyssa Coghlan for her thoughts on the proposal and dealing with the Red
Hat issue.

Jannis Leidel and Carl Meyer for their thoughts. Marcus Smith for
feedback.

Marcela Mašláňová for resolving the Fedora issue.

Copyright

This document has been placed in the public domain.



  Local Variables: mode: indented-text indent-tabs-mode: nil
  sentence-end-double-space: t fill-column: 70 coding: utf-8 End:

[1] pip issue tracking work needed for this PEP
https://github.com/pypa/pip/issues/863

[2] Fedora's python-pip package does not provide /usr/bin/pip
https://bugzilla.redhat.com/show_bug.cgi?id=958377