On behalf of the Python Packaging Authority, I am pleased to announce
that we have just released pip 20.3, a new version of pip. You can
install it by running `python -m pip install --upgrade pip`.
This is an important and disruptive release -- we explained why in a
blog post last year
https://pyfound.blogspot.com/2019/12/moss-czi-support-pip.html . We even
made a video about it: https://www.youtube.com/watch?v=B4GQCBBsuNU .
Blog post with details:
https://pyfound.blogspot.com/2020/11/pip-20-3-new-resolver.html
Highlights include:
* **DISRUPTION**: Switch to the new dependency resolver by
default. Watch out for changes in handling editable
installs, constraints files, and more:
https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-res…
* **DEPRECATION**: Deprecate support for Python 3.5 (to be removed in
pip 21.0)
* **DEPRECATION**: pip freeze will stop filtering the pip, setuptools,
distribute and wheel packages from pip freeze output in a future
version. To keep the previous behavior, users should use the new
`--exclude` option.
* Support for PEP 600: Future ‘manylinux’ Platform Tags for Portable
Linux Built Distributions.
* Add support for MacOS Big Sur compatibility tags.
The new resolver is now *on by default*. It is significantly stricter
and more consistent when it receives incompatible instructions, and
reduces support for certain kinds of constraints files, so some
workarounds and workflows may break. Please see our guide on how to
test and migrate, and how to report issues:
https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-res…
. You can use the deprecated (old) resolver, using the flag
`--use-deprecated=legacy-resolver`, until we remove it in the pip 21.0
release in January 2021.
In pip 21.0 we will also remove support for Python 2.7.
You can find more details (including deprecations and removals) in the
changelog https://pip.pypa.io/en/stable/news/ , and you can find
thank-yous and instructions on reporting issues at
https://pyfound.blogspot.com/2020/11/pip-20-3-new-resolver.html .
Thank you,
Sumana Harihareswara
pip project manager
Changeset Consulting
https://changeset.nyc
On behalf of the Python Packaging Authority, I am pleased to announce
the release of pip 20.2. Please upgrade for speed improvements, bug
fixes, and better logging. You can install it by running python -m pip
install --upgrade pip.
We make major releases each quarter, so this is the first new release
since 20.1 in April.
NOTICE: This release includes the beta of the next-generation dependency
resolver. It is significantly stricter and more consistent when it
receives incompatible instructions, and reduces support for certain
kinds of constraints files, so some workarounds and workflows may break.
Please test it with the `--use-feature=2020-resolver` flag. Please see
our guide on how to test and migrate, and how to report issues
<https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-res…>.
The new dependency resolver is *off by default* because it is *not yet
ready for everyday use*.
For release highlights and thank-yous, please see
<https://blog.python.org/2020/07/upgrade-pip-20-2-changes-20-3.html> .
The full changelog is at <https://pip.pypa.io/en/stable/news/>.
Future:
We plan to make pip's next quarterly release, 20.3, in October 2020. We
are preparing to change the default dependency resolution behavior and
make the new resolver the default in pip 20.3.
--
Sumana Harihareswara
project manager for pip, on contract with Python Software Foundation
Changeset Consulting, https://changeset.nyc
On behalf of the Python Packaging Authority, I am pleased to announce that we have released a new version of pip, pip 20.1. Please upgrade for speed improvements and bugfixes.
We make major releases each quarter, and so this is the first new release since 20.0.2 in January.
To install pip 20.1, you can run:
python -m pip install --upgrade pip
For release highlights and thank-yous, please see https://blog.python.org/2020/04/pip-20-1-released.html .
Future:
In May, we aim to release a version of pip that includes a testable beta of the new dependency resolver: https://pyfound.blogspot.com/2020/03/new-pip-resolver-to-roll-out-this-year… .
And we plan to make pip's next quarterly release in July 2020.
best,
Sumana Harihareswara
project manager for pip, on contract with Python Software Foundation
Changeset Consulting, https://changeset.nyc
Hello!
I’m looking for anyone how has built something interesting using the PyPI Big Query public dataset that’s documented at https://packaging.python.org/guides/analyzing-pypi-package-downloads/.
There are some changes that are coming up that we’d like to preview for users that are actively using the dataset.
If that’s you, send a note to bigquery-feedback(a)pypi.org with how you’ve been using the dataset. I’ll get back to you with information on the upcoming changes and will select a few projects to feature in the announcement of the new changes.
-Ernest W. Durbin III
Director of Infrastructure
Python Software Foundation
Dear PyPI users:
To increase the security of PyPI downloads, we have added
two-factor authentication (2FA) as a login security option,
and API tokens for uploading packages.
If you maintain or own a project on the Python Package Index
[pypi.org], you should start using these features. Click "help"
on PyPI for instructions.
See details, explanations, and screenshots in our blog post today:
https://pyfound.blogspot.com/2020/01/start-using-2fa-and-api-tokens-on-pypi…
A condensed explanation follows.
2FA:
Two-factor authentication makes your account more secure by
requiring two things in order to log in: something you know
and something you own.
In PyPI's case, "something you know" is your username and
password, while "something you own" can be an application
to generate a temporary code, or a security device (most
commonly a USB key). PyPI's implementation of the WebAuthn
standard means you can use any 2FA device that meets the
FIDO standard.
2FA only affects logging in via a web browser, and not
(yet) package uploads.
API tokens:
API tokens provide an alternative way (instead of username and
password) to authenticate when uploading packages to PyPI.
You can create a token for an entire PyPI account, in which
case, the token will work for all projects associated with
that account. Alternatively, you can limit a token's scope
to a specific project. That way, if a token is compromised,
you can just revoke and recreate that token, instead of
having to change your password in lots of automated processes.
For more details and instructions, click "help" on PyPI, or
go to: https://pypi.org/help/
These features are also available on Test PyPI.
Future:
In the future, PyPI will set and enforce a policy requiring
users with two-factor authentication enabled to use API tokens
to upload (rather than just their password, without a second
factor). We do not yet know when we will make this policy change;
when we decide on a timeline, we will announce the change on this list.
Thanks to the Open Technology Fund for funding this work.
More work is in progress on pip and PyPI -- see https://wiki.python.org/psf/PackagingWG .
Please forward to other PyPI users, especially package maintainers.
-Sumana Harihareswara on behalf of the PyPI team
Dear PyPI users:
To increase the security of PyPI downloads, we're beginning to introduce two-factor authentication (2FA) as a login security option, and want project maintainers and owners to start testing it.
Starting this Friday, May 3rd, you'll be able to use 2FA on Test PyPI http://test.pypi.org/ . And if you'd like to try 2FA on official PyPI https://pypi.org , please fill out this Google form https://docs.google.com/forms/d/e/1FAIpQLSfRmXhkfAL-LgLfcMdzTG7iIaSwPo-pyzk… so we can invite you to the private beta, which we plan to hold 3-20 May.
More details at https://wiki.python.org/psf/WarehousePackageMaintainerTesting .
We expect to end this testing period on May 20th, then enable the optional 2FA feature for all PyPI users, and move on to working on WebAuthn support.
Thanks to the Open Technology Fund for funding this work. More progress reports at https://wiki.python.org/psf/PackagingWG .
-Sumana Harihareswara on behalf of the PyPI team
Heads-up: if you have a pypi.org or test.pypi.org account, please verify your email address:
https://pypi.org/manage/account/https://test.pypi.org/manage/account/
Reason:
> We have a problem with a bit of our data, namely that due to historical reasons we have a fair amount of users in the database that do not have a verified primary email address. The side effect of this is that we're currently sending emails to email addresses that we have not had verified. This is a bad situation to be in, because in order to keep our bounce/spam rate low, we should be confirming all email addresses before sending email to them. In addition the way our bounce handling code works is it un-verifies the email address, which the intent was to stop sending email to it until the user has reverified their email address.
(quoting from Donald Stufft's explanation https://github.com/pypa/warehouse/issues/3632 which goes on to detail the step-by-step plan)
We have over 180,000 user accounts with unverified primary email addresses. Since it's important that we don't send email to unverified addresses, we're gradually adding restrictions on what accounts with unverified primary addresses can do. As of a few days ago, any user whose primary email address is unverified can't upload a file: https://github.com/pypa/warehouse/pull/4292
Please forward to other PyPI users, especially package maintainers.
--
Sumana Harihareswara on behalf of the PyPI team
On behalf of the PyPA, I am pleased to announce that pip 10.0 has just
been released. This release has been the culmination of many months of
work by the community.
To install pip 10.0, you can run
python -m pip install --upgrade pip
or use get-pip, as described in
https://pip.pypa.io/en/latest/installing. If you are using a version
of pip supplied by your distribution vendor, vendor-supplied upgrades
will be available in due course (or you can use pip 10 in a virtual
environment).
(One minor issue with using get-pip on Windows - when you download
get-pip.py, rename it to something that doesn't include "pip" in the
name, such as "gp.py", as the standard name triggers a check in pip
that aborts the run - this is being tracked in
https://github.com/pypa/pip/issues/5219).
Highlights of the new release:
* Python 2.6 is no longer supported - if you need pip on Python 2.6,
you should stay on pip 9, which is the last version to support Python
2.6.
* Support for PEP 518, which allows projects to specify what packages
they require in order to build from source. (PEP 518 support is
currently limited, with full support coming in future versions - see
the documentation for details).
* Significant improvements in Unicode handling for non-ASCII locales on Windows.
* A new "pip config" command.
* The default upgrade strategy has become "only-if-needed"
* Many bug fixes and minor improvements.
In addition, the previously announced reorganisation of pip's
internals has now taken place. Unless you are the author of code that
imports the pip module (or a user of such code), this change will not
affect you. If you are affected, please report the issue to the author of the
offending code (refer them to
https://mail.python.org/pipermail/distutils-sig/2017-October/031642.html
for the details of the announcement).
Thanks to everyone who put so much effort into the new release. Many
of the contributions came from community members, whether in the form
of code, participation in design discussions, or bug reports. The pip
development team is extremely grateful to everyone in the community
for their contributions.
Thanks,
Paul