[Distutils] Q about best practices now (or near future)

Donald Stufft donald at stufft.io
Thu Jul 18 03:03:33 CEST 2013 

On Jul 17, 2013, at 8:38 PM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:

> Donald Stufft <donald <at> stufft.io> writes:
> 
>> 
>>     curl https://raw.github.com/pypa/pip/master/contrib/get-pip.py | python
> 
> Well it doesn't work on Windows, which would be a reasonable objection to 
> using that specific approach.
> 
>> But for various reasons many projects have decided that expecting people to
>> install the tools is difficult, especially for beginners and that simply 
> documenting
>> the command to install it was not enough.
> 
> If it's that obvious, then why did Richard spend so long writing a bootstrap 
> script, drafting PEP 439 etc.? Do you have any numbers on the "many projects"?

I never stated it was *obvious*. To me requiring an explicit bootstrap step was always
a bad idea. It's an unfriendly UX that requires people to either know ahead of time if
they already have pip installed, or try to use pip, notice it fail, run the bootstrapper,
and then run the command they originally wanted to run.

It also places a burden on every other project in the ecosystem to document that they
need to first run `python -m getpip` and then run ``pip install project``.

However Richard's implementation and the PEP was not an explicit bootstrap. It was
an implicit bootstrap that upon the first execution of ``pip``would fetch and install pip
and setuptools. The implicit bootstrap approach was more or less decided against
for fear of being too magical and users not really being aware if they have or don't
have pip.

So to recap:

Bootstrapping over the Networking in General
    - Requires network access
    - Extra failure points
        - OpenSSL Age
        - OpenSSL Available at all?
        - Proxies?
        - SSL Intercept Devices?

Explicit bootstrapping
    - Everything from Bootstrapping over the network
    - Requires users (and projects) to use/document an explicit command

Implicit Bootstrapping
    - Everything from Bootstrapping over the network
    - Users unsure if pip is installed or not (or at what point it will install)
    - "Magical"

Bootstrap at Python Install Time
    - Everything from Bootstrapping over the network
    - Users possibly unaware that installer reaches the network
    - Some users tend to not be fans of installers "Phoning Home" - Privacy implications?

Pre-Installation at Release Creation Time
    - Users might possibly have an older version of pip
    - ???

The older version of pip is just about the only real downside *for the users* of Python/pip
that I can think of. This is already the case for most people using the pip provided by their
Linux distribution and it's simple to upgrade the pip if the user requires a newer version
of pip using ``pip install --upgrade pip``.


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130717/50d1b78d/attachment-0001.pgp>

More information about the Distutils-SIG mailing list