-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ship pip as a standalone application #11243
Comments
Very interesting approach. |
There will be teaching implications too (undoing years of |
The script will need to check python version compatibility. |
At least initially, this can be an alternative, rather than a replacement. But absolutely, this is a significant change in approach. Which is why I think it needs to be flagged in advance. I'd post a topic on the Packaging discourse right now, but I'm frankly scared of the controversy it'll probably cause 😨 |
I mean, we can also ship pip as a zipapp. IIUC, that should still not be visible on That's easy to communicate as well. :) |
More broadly though, I'm on board. :) |
This is true. I'm not sure we can simply zip up the pip directory and call it a zipapp, but we can certainly ship a zipapp containing the script I posted above plus a copy of pip. Do we know if all of our dependencies work when shipped as a zipapp (I believe requests didn't like the certificate file being in a zip at one stage, but IIRC that's fixed now)? Also, does the mechanism we use for injecting pip into a build environment work from a zipapp? Shiv gets round this by creating zipapps that extract themselves on first use. I don't know if we want to go that far. Otherwise, the main things that annoy me about zipapps are (1) As an initial step in this direction, though, we could ship a That's something I'd be comfortable announcing as a plan on Discourse... |
I think the main hurdle toward shipping a standalone application (versus a zipapp) is source build. If someone needs to build something from source, it's likely they'll want to build against an existing Python installation, instead of the interpreter bundled in the standalone executable, and that'll need some additional mechanism. Wheel-only installations should be more or less plausible. The only reason thing we need to deal with (that I can think of) is console script shebangs. |
The key here is that the standalone executable doesn't bundle an interpreter1. That's basically what the Footnotes
|
How to upgrade pip is going to be a topic. If we want to be fancy, the script could have a mechanism to download the latest pip for the corresponding python version. |
Initially, I'd prefer to just publish a zipapp at https://bootstrap.pypa.io, like virtualenv does. Users can download that to get the latest version. Maybe we could also also publish it as a github release for people who want a specific version. I'd leave installers and upgraders to the community to provide, if they want (on Windows, for example, scoop and chocolatey can handle this, and on Linux distro packagers fulfil that role, I guess). Agreed that |
Noting this here, so that we don't forget -- we'd want to update the upgrade prompt, to be aware of the zipapp based workflow and behave differently. What that different behaviour should be is something I don't have an opinion on, and I don't intend to think about that until we get somewhere in the discussion. :) |
An interesting future capability could be that pip would no longer have to vendor as it could be isolated from the target environment, |
I don't think we'd get to that point, not in the order of decades -- we're still going to allow installing pip in environments, so the core reasons for vendoring will continue to exist. |
Agreed. A zipapp version of pip could debundle, but there's no point unless we drop support for installing pip in environments. |
I don't think we could debundle even in the zipapp -- it'd still be possible to have a version of requests/urllib3 (for example) in the environment that won't work with whatever version of pip is being used via a zipapp. |
For what it's worth, I've just created https://github.com/pfmoore/runpip The build script is there, and I've published a 22.1.2 release that has the pyz as a downloadable asset. If people want to play with it, go ahead. I think I'm going to make it my default pip locally and see how that works out. |
Ah, I was thinking of debundling but still shipping all of the vendored libraries in the zipapp. Yeah, working with locally installed copies of our dependencies is never going to work. |
Yea, I'm not sure what would take precedence in the import paths -- but we know vendoring works and we need it for our primary usecase today anyway. Let's table this -- we're all on the same page I think. :) |
I just added an option to the test suite to run pip from a zipapp (specifically, 69 failed, 775 passed, 38 skipped, 6 xfailed, 2015 warnings Not that bad, actually. And from a quick scan, many of the failures look like either assumptions about the location of the running pip, or "unexpected changes" caused by the extraction of cacert.pem to a temporary directory. So overall, that's relatively strong evidence that the zipapp is functional. At some point I'll try to work through the test failures, but for now I don't consider passing the test suite to be a necessary condition for publishing an experimental zipapp, if we choose to do so. Does anyone disagree? Edit: FWIW, without using the zipapp, I get the following on my machine: 10 failed, 834 passed, 38 skipped, 6 xfailed, 2015 warnings I believe the 10 failures are due to git on my PC being configured with Footnotes
|
#11248 fixes one of the problems (28 failures), getting us down to 41 failures (31 if you ignore the 10 unrelated ones). |
Most of the rest are down to the unexpected existence of I'm going to finish on this for today, but I think we're most of the way there now. The biggest outstanding task is working out a way to automatically build an up to date zipapp when running the tests with Does anyone know a good way of building a wheel of the pip under test from the running test suite? Am I overthinking this, and there's a simple answer I'm missing? |
They're not allowed to. :) |
I was nerd sniped by this, so I created https://github.com/sbidoul/pip-launcher, which automatically downloads the correct pip version using [update] renamed from pip-script to pip-launcher |
lol, nice. We're going to end up with a whole raft of different approaches to running pip without installing it. I have had pip.pyz installed as pip in my path for about a week now, but I think that in order to get a proper feel for how well it works, I need to configure virtualenv (and pew, if I can work out how to do that as well) to default to What I plan on doing over the next week sometime (it's been busy this week) is to put together a post on the packaging Discourse, saying something along the lines of
Does that seem OK to people? Do you want me to post a draft somewhere so that the @pypa/pip-committers can review the post before I make it? |
I’m fine with this wording and don’t think to put this somewhere for edits. In any case, I don’t feel strongly about the phrasing of the post and am happy to defer to others on that. It might make sense to link to this issue as well — again, I trust your judgement on whether that’s useful. |
Setting
Fine with me. No need to review AFAIC. |
FWIW, I've long thought it would be a great idea if pip stopped introspecting the current environment, and instead supported a CLI flag to target a specific environment (which then defaulted to Doing that, would mean you could use something like pyoxidizer to ship a whole Python with pip, including things like statically compiled extensions and what not. |
One thing we may need to consider is pip "plugins". We don't have those formalized today (although we may in the future), but some pip feature already try to import packages to enable themselves (such as the new |
Agreed. I think there's an issue somewhere for this, but it's a more complex change. For now, I think a zipapp that runs in any environment is a useful starting point, as it breaks the implication that pip is present in every environment (which I suspect will be the big hurdle for some people). This has been on my "if I get round to it" long term plan for ages, as well 🙂
Again, for now I'm personally fine with the idea that such packages need to be installed in the target environment (or the user sets up
However, be aware that I'm thinking here about the simple "zip all of pip up into a |
A couple of points I want to record here, so I don't forget them.
|
Running pip from the bundled wheel in ensurepip is as easy as:
Of course, even if we support running pip from a zip, it's still not technically supported to treat wheels as zipfiles that can be put on I'm starting to think this will require a (language) PEP, as ensurepip is going to be involved when we get to this point... |
Another progress update:
In related news, I now have a prototype implementation of an approach that lets pip manage arbitrary environments1. At the moment, it's just a proof that the idea works, there's still a lot of work to do on the UI and on testing it. This is somewhat orthogonal to the proposal above, as if we make "shared pip with Footnotes
|
FWIW, this is extremely close to the pip-cli model that we'd discussed in another issue. (I think about deprecating the various script wrappers) |
It is, yes (#3164 to be specific). The main difference is that we'd want |
While we are brainstorming, something comes to my mind... would it make any sense for
|
... or do an editable install of pip. |
I'm not keen on an editable install. It feels like a misuse of the feature. |
I’m reading this all and it’s still unclear to me what exactly we want the experience to be for a standalone pip. My two cents: Let’s not think about all the ways the standalone pyz can be used to change/improve things until we have it working and working well “in the wild”. Ensurepip, the CLI script and everything else can be changed later and certainly is not needed for a first iteration. Beyond that, I don’t think we should be changing the way In other words, I’d like us to be cautious and not get ahead of ourselves here. Let’s start shipping a pyz file, that folks can download and use. Once we get feedback of all the fun ways it’s broken and we fix those, then we can start thinking about if/where it makes sense to use it. The things mentioned in the most recent comments are all things we can only change once we have a polished experience for using the standalone mode. |
Yes, and we explicitly tell people to not do that. I actually have been wondering if we should remove the root-is-purelib style functionality from wheels entirely; when we do a follow up with compression improvements. |
That makes sense. IMO, the remaining steps to get the pyz shipped are:
I won't merge any of this until @sbidoul is finished with 22.2. My target is 22.3 for the zipapp to be made official.
Things that come to mind as rough edges:
I know. Ensurepip (and get-pip) are special cases. And unsupported hacks as a proof of concept are OK 😉 TBH, once we have a supported zipapp version of pip, a lot of the complexity in I do think it would be extremely useful to do some of the brainstorming around this1 (do we drop the versioned commands, what do we do about the unversioned pip command, can we reduce the footprint of what pip puts in a virtual environment, etc) but issues are a lousy way to do it. Face to face is good, but very hard to organise (even via video calls). Maybe some sort of shared design document that can be edited "live"? I don't know, TBH. Footnotes
|
Is step 3 the only thing missing at this point? https://bootstrap.pypa.io/pip/pip.pyz exists and seems to be getting updated with pip releases, so can it be relied on at this point? |
Yes. |
There is documentation here. The only question IMO is whether we are ready to remove the “experimental” status. Should I do that for 23.1? |
I just find a tool https://github.com/sourcesimian/pyBake , which can bundle a python project to to single python file. I give try it locally and looks like it working fine without any modification (except change vendor import path to the package). Don't know if you are instersted in shiping a bundled single pip.py file (little like what we did in get-pip), this also simplify the vendor development step |
With the documented approach for a standalone copy of pip, I don't think there's more to do here. We can remove the experimental label when we have some evidence that there's sufficient downloads/usage to justify that. |
Are download stats available for bootstrap.pypa.io? If not, then I'm not sure how we'd be able to determine this (so I'd be more inclined to just declare it as no longer experimental in 23.2 and be done with it). |
We are planning on using the |
Actually, it occurred to me that we may even be able to do this right now. I put together a very simple proof of concept and it seems to work. If you put the following script alongside a "lib" directory with pip installed into it (
pip install pip --target lib
) but with thebin
andpip*.dist-info
directory removed (so the bundled pip isn't visible inpip list
) then it can be run from any Python interpreter to effectively act as a copy of pip in that environment.I don't think it would take much to turn this into a viable "standalone pip" application (I'd mostly just want to set up an executable wrapper for Windows). I've done some very basic testing - this would need a lot more real-world testing to make sure there aren't any problem edge cases, but it basically seems to work.
Originally posted by @pfmoore in #11223 (comment)
For now, this is just a placeholder to discuss whether we want to do this at all, or how we'd distribute it. The main point here is that with a script like this, there would no longer be a need to install pip in every virtual environment.
One thing we'd have to work out is what tools assume that pip is available in every environment. I'm thinking of environment managers and IDEs, like nox, or VS Code. The ecosystem implications here are likely to be more complicated than the technical issues. Maybe we need to start with a heads-up discussion on Discourse? But before we do that I'd like to make sure the pip committers are all on board with the idea...
The text was updated successfully, but these errors were encountered: