PEP 453 (ensurepip) updated
I have posted the latest version of PEP 453 to python.org. It is available in the usual place: http://www.python.org/dev/peps/pep-0453/ Three significant changes have been made since the last posted version: * removed the proposal to change the script installation directory on Windows, due to a backwards compatibility issue identified for Windows package installers created with earlier versions of Python (and vice-versa when attempting to use installers created with Python 3.4 on older versions) * noted the current certificate verification concerns for the requests project, and made resolution of that a requirement for inclusion of ensurepip in the final release of Python 3.4 * added an integration timeline, including a December 29th deadline for the inclusion of pip 1.5 (or a subsequent maintenance release) that includes a resolution of the certificate verification issues in requests Rather than posting the whole document again, I have just quoted the most relevant sections for these changes: <snip> Explicit bootstrapping mechanism ================================ <snip> Security considerations ----------------------- The design in this PEP has been deliberately chosen to avoid making any significant changes to the trust model of CPython for end users that do not subsequently run the command ``pip install --upgrade pip``. The installers will contain all the components of a fully functioning version of Python, including the ``pip`` installer. The installation process will *not* require network access, and will *not* rely on trusting the security of the network connection established between ``pip`` and the Python package index. Only users that choose to use ``pip`` to communicate with PyPI will need to pay attention to the additional security considerations that come with doing so. However, the core CPython team will still assist with reviewing and resolving at least the `certificate update management issue <https://github.com/kennethreitz/requests/issues/1659>`__ currently affecting the ``requests`` project (and hence ``pip``), and may also be able to offer assistance in resolving other identified security concerns [#cert-verification]_. <snip> Integration timeline -------------------- If this PEP is accepted, the proposed time frame for integration of ``pip`` into the CPython release is as follows: * as soon as possible after the release of 3.4.0 alpha 4 * Documentation updated and ``ensurepip`` implemented based on a pre-release version of ``pip`` 1.5. * All other proposed functional changes for Python 3.4 implemented, including the installer updates to invoke ``ensurepip``. * by November 20th (3 days prior to the scheduled date of 3.4.0 beta 1) * ``ensurepip`` updated to use a ``pip`` 1.5 release candidate. * PEP 101 updated to cover ensuring the bundled version of ``pip`` is up to date. * by November 24th (scheduled date of 3.4.0 beta 1) * As with any other new feature, all proposed functional changes for Python 3.4 must be implemented prior to the beta feature freeze. * by December 29th (1 week prior to the scheduled date of 3.4.0 beta 2) * ``requests`` certificate management issue resolved * ``ensurepip`` updated to the final release of ``pip`` 1.5, or a subsequent maintenance release (including a suitably updated vendored copy of ``requests``) (See PEP 429 for the current official scheduled dates of each release. Dates listed above are accurate as of October 20th, 2013.) If there is no final or maintenance release of ``pip`` 1.5 with a suitable updated version of ``requests`` available by one week before the scheduled Python 3.4 beta 2 release, then implementation of this PEP will be deferred to Python 3.5. Note that this scenario is considered unlikely - the tentative date for the ``pip`` 1.5 release is currently December 1st. In future CPython releases, this kind of coordinated scheduling shouldn't be needed: the CPython release manager will be able to just update to the latest released version of ``pip``. However, in this case, some fixes are needed in ``pip`` in order to allow the bundling to work correctly, and the certificate update mechanism for ``requests`` needs to be improved, so the ``pip`` 1.5 release cycle needs to be properly aligned with the CPython 3.4 beta releases. <snip> Appendix: Rejected Proposals ============================ Changing the name of the scripts directory on Windows ----------------------------------------------------- Earlier versions of this PEP proposed changing the name of the script installation directory on Windows from "Scripts" to "bin" in order to improve the cross-platform consistency of the virtual environments created by ``pyvenv``. However, Paul Moore determined that this change was likely backwards incompatible with cross-version Windows installers created with previous versions of Python, so the change has been removed from this PEP [#windows-incompatibility]_. <snip> -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
Am 20.10.13 14:27, schrieb Nick Coghlan:
I have posted the latest version of PEP 453 to python.org.
This version looks good to me, and I accept it for inclusion in Python 3.4. I'd like to thank Nick for carefully editing this PEP, and I'd like to cite it as an archetype for a well-written PEP. It's very precise, and it elaborates on rejected proposals and the motivation for rejection. I'd also like to thank Donald for pushing this, and for continued work on the implementation of the PEP. I see that this all took longer than expected (also due to my fault in providing timely reviews). I suggest that some of the stuff that needs to be done still is delegated, so that Donald doesn't have to do all of it. Regards, Martin
On 22 October 2013 19:33, "Martin v. Löwis" <martin@v.loewis.de> wrote:
Am 20.10.13 14:27, schrieb Nick Coghlan:
I have posted the latest version of PEP 453 to python.org.
This version looks good to me, and I accept it for inclusion in Python 3.4.
I'd like to thank Nick for carefully editing this PEP, and I'd like to cite it as an archetype for a well-written PEP. It's very precise, and it elaborates on rejected proposals and the motivation for rejection.
Thank you! I have updated the PEP to record the acceptance, and created a tracking issue for the implementation at http://bugs.python.org/issue19347
I'd also like to thank Donald for pushing this, and for continued work on the implementation of the PEP. I see that this all took longer than expected (also due to my fault in providing timely reviews). I suggest that some of the stuff that needs to be done still is delegated, so that Donald doesn't have to do all of it.
If we could get assistance with the installer and pyvenv updates after the initial implementation of the module itself is checked in, that would be a huge help. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
In article <CADiSq7fHJu328W9CDc1j9eb72nAjVaJhvNa++5_w3rYuFwwUAg@mail.gmail.com>, Nick Coghlan <ncoghlan@gmail.com> wrote:
On 22 October 2013 19:33, "Martin v. Löwis" <martin@v.loewis.de> wrote:
Am 20.10.13 14:27, schrieb Nick Coghlan:
I have posted the latest version of PEP 453 to python.org.
This version looks good to me, and I accept it for inclusion in Python 3.4.
I'd like to thank Nick for carefully editing this PEP, and I'd like to cite it as an archetype for a well-written PEP. It's very precise, and it elaborates on rejected proposals and the motivation for rejection.
I'd like to second that and thank both Nick and Donald for addressing the concerns I raised.
Thank you! I have updated the PEP to record the acceptance, and created a tracking issue for the implementation at http://bugs.python.org/issue19347
I'd also like to thank Donald for pushing this, and for continued work on the implementation of the PEP. I see that this all took longer than expected (also due to my fault in providing timely reviews). I suggest that some of the stuff that needs to be done still is delegated, so that Donald doesn't have to do all of it.
If we could get assistance with the installer and pyvenv updates after the initial implementation of the module itself is checked in, that would be a huge help.
I'm planning to do the OS X installer support changes. -- Ned Deily, nad@acm.org
On Oct 22, 2013, at 5:33 AM, Martin v. Löwis <martin@v.loewis.de> wrote:
Am 20.10.13 14:27, schrieb Nick Coghlan:
I have posted the latest version of PEP 453 to python.org.
This version looks good to me, and I accept it for inclusion in Python 3.4.
I'd like to thank Nick for carefully editing this PEP, and I'd like to cite it as an archetype for a well-written PEP. It's very precise, and it elaborates on rejected proposals and the motivation for rejection.
I'd also like to thank Donald for pushing this, and for continued work on the implementation of the PEP. I see that this all took longer than expected (also due to my fault in providing timely reviews). I suggest that some of the stuff that needs to be done still is delegated, so that Donald doesn't have to do all of it.
Regards, Martin
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
Let me echo Nick's thank you! Now to get this implemented :D ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
participants (4)
-
"Martin v. Löwis"
-
Donald Stufft
-
Ned Deily
-
Nick Coghlan