[Python-ideas] More "ensure*" packages

[Paul Moore]

On 14 August 2015 at 17:41, M.-A. Lemburg <mal at egenix.com> wrote:
>> pip has decided to vendor requests to avoid issues like this. It's unfortunate, but it is the best
>> way to ensure that you can update requests securely even if you get a broken version.
>
> Right, and so the question is not so much: "do we want ensure to
> install requests (and all the other pip and requests dependencies) ?"
> but rather: "why not expose those bundled version as top-level installs ?"

It's important to note that pip vendors the modules it does for a
number of reasons - one, to ensure that they are always available, two
so that there's no circular dependency (we need requests available to
upgrade requests), and three, to ensure we have a stable, tested
version (so that we don't have to field "pip is broken" bugs where
someone has an in-development version of requests installed, for
example).

The first of the above two reasons is one that could be handled by
ensure making these dependencies available at the top level, but the
second and third advantages would be lost if that happened.

We have had enough issues raised with pip because users have problems
with the system OpenSSL installation (which we have to depend on, and
which we can't control) that I, for one, would be reluctant for us to
expose ourselves to yet more potential issues in the same vein.
(Albeit much less likely to occur, as the circumstances which would
cause a problem are pretty unusual).

And someone would need to audit all of the uses of (currently)
vendored modules in pip, to verify that if they were made top-level
dependencies, they could upgrade themselves in place without (say)
importing a previously unused sub-module after the uninstall had
occurred but before the subsequent install. And keep that audit up to
date as changes occur with pip to ensure no problems are introduced
via new PRs.

Paul