[Python-Dev] PEP 453 (ensurepip) updated

Nick Coghlan ncoghlan at gmail.com
Sun Oct 20 14:27:56 CEST 2013 

I have posted the latest version of PEP 453 to python.org. It is
available in the usual place:

    http://www.python.org/dev/peps/pep-0453/

Three significant changes have been made since the last posted version:

* removed the proposal to change the script installation directory on
Windows, due to a backwards compatibility issue identified for Windows
package installers created with earlier versions of Python (and
vice-versa when attempting to use installers created with Python 3.4
on older versions)

* noted the current certificate verification concerns for the requests
project, and made resolution of that a requirement for inclusion of
ensurepip in the final release of Python 3.4

* added an integration timeline, including a December 29th deadline
for the inclusion of pip 1.5 (or a subsequent maintenance release)
that includes a resolution of the certificate verification issues in
requests

Rather than posting the whole document again, I have just quoted the
most relevant sections for these changes:

<snip>

Explicit bootstrapping mechanism
================================

<snip>

Security considerations
-----------------------

The design in this PEP has been deliberately chosen to avoid making any
significant changes to the trust model of CPython for end users that do
not subsequently run the command ``pip install --upgrade pip``.

The installers will contain all the components of a fully functioning
version of Python, including the ``pip`` installer. The installation
process will *not* require network access, and will *not* rely on
trusting the security of the network connection established between
``pip`` and the Python package index.

Only users that choose to use ``pip`` to communicate with PyPI will
need to pay attention to the additional security considerations that come
with doing so.

However, the core CPython team will still assist with reviewing and
resolving at least the `certificate update management issue
<https://github.com/kennethreitz/requests/issues/1659>`__ currently
affecting the ``requests`` project (and hence ``pip``), and may also be
able to offer assistance in resolving other identified security concerns
[#cert-verification]_.

<snip>

Integration timeline
--------------------

If this PEP is accepted, the proposed time frame for integration of ``pip``
into the CPython release is as follows:

* as soon as possible after the release of 3.4.0 alpha 4

  * Documentation updated and ``ensurepip`` implemented based on a
    pre-release version of ``pip`` 1.5.

  * All other proposed functional changes for Python 3.4 implemented,
    including the installer updates to invoke ``ensurepip``.

* by November 20th (3 days prior to the scheduled date of 3.4.0 beta 1)

  * ``ensurepip`` updated to use a ``pip`` 1.5 release candidate.

  * PEP 101 updated to cover ensuring the bundled version of ``pip`` is up
    to date.

* by November 24th (scheduled date of 3.4.0 beta 1)

  * As with any other new feature, all proposed functional changes for
    Python 3.4 must be implemented prior to the beta feature freeze.

* by December 29th (1 week prior to the scheduled date of 3.4.0 beta 2)

  * ``requests`` certificate management issue resolved
  * ``ensurepip`` updated to the final release of ``pip`` 1.5, or a
    subsequent maintenance release (including a suitably updated vendored
    copy of ``requests``)

(See PEP 429 for the current official scheduled dates of each release. Dates
listed above are accurate as of October 20th, 2013.)

If there is no final or maintenance release of ``pip`` 1.5 with a suitable
updated version of ``requests`` available by one week before the scheduled
Python 3.4 beta 2 release, then implementation of this PEP will
be deferred to Python 3.5. Note that this scenario is considered unlikely -
the tentative date for the ``pip`` 1.5 release is currently December 1st.

In future CPython releases, this kind of coordinated scheduling shouldn't be
needed: the CPython release manager will be able to just update to the latest
released version of ``pip``. However, in this case, some fixes are needed in
``pip`` in order to allow the bundling to work correctly, and the
certificate update mechanism for ``requests`` needs to be improved, so the
``pip`` 1.5 release cycle needs to be properly aligned with the CPython 3.4
beta releases.

<snip>

Appendix: Rejected Proposals
============================

Changing the name of the scripts directory on Windows
-----------------------------------------------------

Earlier versions of this PEP proposed changing the name of the script
installation directory on Windows from "Scripts" to "bin" in order to
improve the cross-platform consistency of the virtual environments created
by ``pyvenv``.

However, Paul Moore determined that this change was likely backwards
incompatible with cross-version Windows installers created with previous
versions of Python, so the change has been removed from this PEP
[#windows-incompatibility]_.

<snip>


-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list