Message 384577 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	vstinner
Date	2021-01-07.11:21:05
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1610018466.49.0.695886938784.issue42856@roundup.psfhosted.org>
In-reply-to

Content
The Fedora packaging policy recommends to "unbundle" bundled dependencies. "Fedora packages SHOULD make every effort to avoid having multiple, separate, upstream projects bundled together in a single package." https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling The main motivation is to ease updates when fix serious vulnerabilities (less packaging work). The ensurepip package contains bundled wheel packages of setuptools and pip: $ ls Lib/ensurepip/_bundled/ pip-20.2.3-py2.py3-none-any.whl setuptools-47.1.0-py3-none-any.whl The Fedora python3 package doesn't contain the ensurepip._bundled package: $ python3 Python 3.9.1 (default, Dec 8 2020, 00:00:00) >>> import ensurepip._bundled ModuleNotFoundError: No module named 'ensurepip._bundled' Instead, a separated RPM package python-pip-wheel provides wheel packages in /usr/share/python-wheels/ directory: $ ls /usr/share/python-wheels/ pip-20.2.2-py2.py3-none-any.whl* setuptools-49.1.3-py3-none-any.whl* wheel-0.34.2-py2.py3-none-any.whl* Fedora has a downstream patch on ensurepip (written by Miro Hrončok) to always use /usr/share/python-wheels/: https://src.fedoraproject.org/rpms/python3.10/blob/master/f/00189-use-rpm-wheels.patch Fedora has packages of 9 CPython versions: 2.6, 2.7, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10. https://developer.fedoraproject.org/tech/languages/python/multiple-pythons.html Having a separated package for wheel packages allows us to upgrade a single package (python-pip-wheel) for setuptools/pip bugfix or security vulnerability. -- I propose to add a new --with-wheel-pkg-dir=PATH option to the ./configure script. If used, ensurepip will only use wheel packages from this directory. Otherwise, the existing code is unchanged. In short, the behavior is unchanged, unless the option is used explicitly. If a directory is specified but wheel packages are missing, ensurepip fails. If the directory contains multiple wheel packages of different versions, the most recent version is used of each package. Note: In practice, the Fedora package only provides a single wheel package of each Python module. But I propose to make the Python upstream code as generic as possible. I'm working on a pull request to implement this. Downstream Fedora issue: https://bugzilla.redhat.com/show_bug.cgi?id=1874803 -- Fedora (Miro) already contributed to ensurepip to make ensurepip less dependent on pip internals: commit 88f82b2b9ea3514359cb6e3218121f75334063ac Author: Miro Hrončok <miro@hroncok.cz> Date: Tue Mar 10 22:16:28 2020 +0100 bpo-38662: ensurepip invokes pip via runpy (GH-18901) The ensurepip module now invokes pip via the runpy module. Hence it is no longer tightly coupled with the internal API of the bundled pip version, allowing easier updates to a newer pip version both internally and for distributors. This way, any changes to the internal pip API won't mean ensurepip needs to be changed as well. Also, distributors can update their pip wheels independent on CPython release schedule. Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> Co-Authored-By: Miro Hrončok <miro@hroncok.cz> This change was already related to Fedora downstream change to get wheel packages from a different directory. Fedora can use a different pip version (older or more recent) than ensurepip._bundled.

The Fedora packaging policy recommends to "unbundle" bundled dependencies.

"Fedora packages SHOULD make every effort to avoid having multiple, separate, upstream projects bundled together in a single package."
https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling

The main motivation is to ease updates when fix serious vulnerabilities (less packaging work).

The ensurepip package contains bundled wheel packages of setuptools and pip:

$ ls Lib/ensurepip/_bundled/
pip-20.2.3-py2.py3-none-any.whl
setuptools-47.1.0-py3-none-any.whl

The Fedora python3 package doesn't contain the ensurepip._bundled package:

$ python3
Python 3.9.1 (default, Dec  8 2020, 00:00:00) 
>>> import ensurepip._bundled
ModuleNotFoundError: No module named 'ensurepip._bundled'

Instead, a separated RPM package python-pip-wheel provides wheel packages in /usr/share/python-wheels/ directory:

$ ls /usr/share/python-wheels/
pip-20.2.2-py2.py3-none-any.whl*
setuptools-49.1.3-py3-none-any.whl*
wheel-0.34.2-py2.py3-none-any.whl*

Fedora has a downstream patch on ensurepip (written by Miro Hrončok) to always use /usr/share/python-wheels/:

https://src.fedoraproject.org/rpms/python3.10/blob/master/f/00189-use-rpm-wheels.patch

Fedora has packages of 9 CPython versions: 2.6, 2.7, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10.

https://developer.fedoraproject.org/tech/languages/python/multiple-pythons.html

Having a separated package for wheel packages allows us to upgrade a single package (python-pip-wheel) for setuptools/pip bugfix or security vulnerability.

--

I propose to add a new --with-wheel-pkg-dir=PATH option to the ./configure script. If used, ensurepip will only use wheel packages from this directory. Otherwise, the existing code is unchanged. In short, the behavior is unchanged, unless the option is used explicitly.

If a directory is specified but wheel packages are missing, ensurepip fails.

If the directory contains multiple wheel packages of different versions, the most recent version is used of each package.

Note: In practice, the Fedora package only provides a single wheel package of each Python module. But I propose to make the Python upstream code as generic as possible.

I'm working on a pull request to implement this.

Downstream Fedora issue: https://bugzilla.redhat.com/show_bug.cgi?id=1874803

--

Fedora (Miro) already contributed to ensurepip to make ensurepip less dependent on pip internals:

commit 88f82b2b9ea3514359cb6e3218121f75334063ac
Author: Miro Hrončok <miro@hroncok.cz>
Date:   Tue Mar 10 22:16:28 2020 +0100

    bpo-38662: ensurepip invokes pip via runpy (GH-18901)
    
    The ensurepip module now invokes pip via the runpy module.
    Hence it is no longer tightly coupled with the internal API of the bundled
    pip version, allowing easier updates to a newer pip version both
    internally and for distributors.
    
    This way, any changes to the internal pip API won't mean ensurepip needs to be
    changed as well. Also, distributors can update their pip wheels independent on
    CPython release schedule.
    
    Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com>
    Co-Authored-By: Miro Hrončok <miro@hroncok.cz>

This change was already related to Fedora downstream change to get wheel packages from a different directory. Fedora can use a different pip version (older or more recent) than ensurepip._bundled.

History
Date	User	Action	Args
2021-01-07 11:21:06	vstinner	set	recipients: + vstinner
2021-01-07 11:21:06	vstinner	set	messageid: <1610018466.49.0.695886938784.issue42856@roundup.psfhosted.org>
2021-01-07 11:21:06	vstinner	link	issue42856 messages
2021-01-07 11:21:05	vstinner	create