[Python-checkins] peps: Add 3.3 and 2.7 back to pip boostrap PEP

nick.coghlan python-checkins at python.org
Sun Sep 15 15:49:55 CEST 2013 

http://hg.python.org/peps/rev/ea9babf171fb
changeset:   5118:ea9babf171fb
user:        Nick Coghlan <ncoghlan at gmail.com>
date:        Sun Sep 15 23:49:45 2013 +1000
summary:
  Add 3.3 and 2.7 back to pip boostrap PEP

Donald reminded me of both why we originally proposed that, and
how the current implementation supports older Python versions

files:
  pep-0453.txt |  57 ++++++++++++++++++++++++++++-----------
  1 files changed, 41 insertions(+), 16 deletions(-)


diff --git a/pep-0453.txt b/pep-0453.txt
--- a/pep-0453.txt
+++ b/pep-0453.txt
@@ -26,7 +26,8 @@
 ========
 
 This PEP proposes the inclusion of a ``getpip`` bootstrapping module in
-Python 3.4.
+Python 3.4, as well as in the next maintenance releases of Python 3.3 and
+2.7.
 
 This PEP does *not* propose making pip (or any dependencies) part of the
 standard library. Instead, pip will be a bundled application provided
@@ -203,6 +204,28 @@
 an updated version of the ``getpip`` bootstrap module.
 
 
+Feature Addition in Maintenance Releases
+========================================
+
+Adding a new module to the standard library in Python 2.7 and 3.3
+maintenance releases breaks the usual policy of "no new features in
+maintenance releases".
+
+It is being proposed in this case as the bootstrapping problem greatly
+affects the experience of new users, especially on Python 2 where many
+Python 3 standard library improvements are available as backports on PyPI,
+but are not included in the Python 2 standard library.
+
+By updating Python 2.7, 3.3 and 3.4 to easily bootstrap the PyPI ecosystem,
+this should aid the vast majority of Python users, rather than only those
+with the freedom to adopt Python 3.4 as soon as it is released.
+
+This is also a matter of starting as we mean to continue: similar to IDLE
+(see PEP 434), ``getpip`` will be permanently exempted from the "no new
+features in maintenance releases" restriction, as it will include (and
+rely on) upgraded versions of ``pip`` even in maintenance releases.
+
+
 Pre-installation
 ================
 
@@ -216,7 +239,8 @@
 attempt to run ``python -m getpip`` by default however the ``make install``
 and ``make altinstall`` commands of the source distribution will not. Note
 that ``getpip`` itself will still be installed normally (as it is a regular
-part of the standard library), only
+part of the standard library), only the installation of pip and its
+dependencies will be skipped.
 
 Keeping the pip bootstrapping as a separate step for make based
 installations should minimize the changes CPython redistributors need to
@@ -284,6 +308,18 @@
 PyPI.
 
 
+Bundling CA Certificates with CPython
+=====================================
+
+The reference ``getpip`` implementation includes the ``pip`` CA
+bundle along with the rest of pip. This means CPython effectively includes
+a CA bundle that is used solely for ``getpip``.
+
+This is considered desirable, as it ensures that ``pip`` will behave the
+same across all supported versions of Python, even those prior to Python
+3.4 that cannot access the system certificate store on Windows.
+
+
 Recommendations for Downstream Distributors
 ===========================================
 
@@ -308,6 +344,9 @@
     "debundling" policy.
   * This does mean that if ``pip`` needs to be updated due to a security
     issue, so does the bundled version in the ``getpip`` bootstrap module
+  * However, altering the bundled version of pip to remove the embedded
+    CA certificate bundle and rely the system CA bundle instead is a
+    reasonable change.
 
 * Migrate build systems to utilize `pip`_ and `Wheel`_ instead of directly
   using ``setup.py``.
@@ -365,20 +404,6 @@
 ============================
 
 
-Bundling the installer in Python 2.7 and 3.3 Maintenance Releases
------------------------------------------------------------------
-
-Unlike earlier Python versions, Python 3.4 provides access to the system
-certificate store on Windows systems. This allows ``getpip`` to create a
-verified connection to PyPI without needing to include a custom certificate
-bundle with CPython.
-
-Rather than trying to come up with a secure bootstrapping alternative for
-earlier Python versions, the existing manual bootstrapping mechanism (which
-relies on SSL verification in other tools like curl, wget and web browsers)
-will continue to be used.
-
-
 Implicit Bootstrap
 ------------------
 

-- 
Repository URL: http://hg.python.org/peps

More information about the Python-checkins mailing list