I have posted the latest version of PEP 453 to python.org. It is available in the usual place: http://www.python.org/dev/peps/pep-0453/ Three significant changes have been made since the last posted version: * removed the proposal to change the script installation directory on Windows, due to a backwards compatibility issue identified for Windows package installers created with earlier versions of Python (and vice-versa when attempting to use installers created with Python 3.4 on older versions) * noted the current certificate verification concerns for the requests project, and made resolution of that a requirement for inclusion of ensurepip in the final release of Python 3.4 * added an integration timeline, including a December 29th deadline for the inclusion of pip 1.5 (or a subsequent maintenance release) that includes a resolution of the certificate verification issues in requests Rather than posting the whole document again, I have just quoted the most relevant sections for these changes: <snip> Explicit bootstrapping mechanism ================================ <snip> Security considerations ----------------------- The design in this PEP has been deliberately chosen to avoid making any significant changes to the trust model of CPython for end users that do not subsequently run the command ``pip install --upgrade pip``. The installers will contain all the components of a fully functioning version of Python, including the ``pip`` installer. The installation process will *not* require network access, and will *not* rely on trusting the security of the network connection established between ``pip`` and the Python package index. Only users that choose to use ``pip`` to communicate with PyPI will need to pay attention to the additional security considerations that come with doing so. However, the core CPython team will still assist with reviewing and resolving at least the `certificate update management issue <https://github.com/kennethreitz/requests/issues/1659>`__ currently affecting the ``requests`` project (and hence ``pip``), and may also be able to offer assistance in resolving other identified security concerns [#cert-verification]_. <snip> Integration timeline -------------------- If this PEP is accepted, the proposed time frame for integration of ``pip`` into the CPython release is as follows: * as soon as possible after the release of 3.4.0 alpha 4 * Documentation updated and ``ensurepip`` implemented based on a pre-release version of ``pip`` 1.5. * All other proposed functional changes for Python 3.4 implemented, including the installer updates to invoke ``ensurepip``. * by November 20th (3 days prior to the scheduled date of 3.4.0 beta 1) * ``ensurepip`` updated to use a ``pip`` 1.5 release candidate. * PEP 101 updated to cover ensuring the bundled version of ``pip`` is up to date. * by November 24th (scheduled date of 3.4.0 beta 1) * As with any other new feature, all proposed functional changes for Python 3.4 must be implemented prior to the beta feature freeze. * by December 29th (1 week prior to the scheduled date of 3.4.0 beta 2) * ``requests`` certificate management issue resolved * ``ensurepip`` updated to the final release of ``pip`` 1.5, or a subsequent maintenance release (including a suitably updated vendored copy of ``requests``) (See PEP 429 for the current official scheduled dates of each release. Dates listed above are accurate as of October 20th, 2013.) If there is no final or maintenance release of ``pip`` 1.5 with a suitable updated version of ``requests`` available by one week before the scheduled Python 3.4 beta 2 release, then implementation of this PEP will be deferred to Python 3.5. Note that this scenario is considered unlikely - the tentative date for the ``pip`` 1.5 release is currently December 1st. In future CPython releases, this kind of coordinated scheduling shouldn't be needed: the CPython release manager will be able to just update to the latest released version of ``pip``. However, in this case, some fixes are needed in ``pip`` in order to allow the bundling to work correctly, and the certificate update mechanism for ``requests`` needs to be improved, so the ``pip`` 1.5 release cycle needs to be properly aligned with the CPython 3.4 beta releases. <snip> Appendix: Rejected Proposals ============================ Changing the name of the scripts directory on Windows ----------------------------------------------------- Earlier versions of this PEP proposed changing the name of the script installation directory on Windows from "Scripts" to "bin" in order to improve the cross-platform consistency of the virtual environments created by ``pyvenv``. However, Paul Moore determined that this change was likely backwards incompatible with cross-version Windows installers created with previous versions of Python, so the change has been removed from this PEP [#windows-incompatibility]_. <snip> -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia