[issue37107] ensurepip --upgrade doesn't change the version of pip used by venv

[Petr Viktorin]

Petr Viktorin <encukou at gmail.com> added the comment:

Please don't forget that it is possible to use venv without PyPI.

With my Fedora hat on: as a distro, we don't trust PyPI as a package delivery infrastructure. Lots of users do, and we allow the users to easily but explicitly opt in to trusting it by running "pip install". (In the same way, we don't trust rubygems, npm, CPAN, hackage, etc. -- there are too many, and PyPI is not special.)

Changing venv's existing `--upgrade` option to start installing from PyPI is problematic. We'd probably need to patch it out, creating an inconsistency between the distro and upstream: it would not do what `python3 -m pip install --upgrade pip` does.

ISTM, the proposed semantics aren't consistent: "venv --upgrade" would not match what "pip --upgrade" does: it would do what "pip install --upgrade pip" does. The latter needs an extra argument, explicitly saying *what* to upgrade. Making "pip" implicit makes sense for "ensurepip", but not for "venv".

Also, in my view, "network" should not be used as a synonym for PyPI (outside pip).

Could we instead make `venv --upgrade` print out a warning, saying that it upgrades Python, and to upgrade pip you should `python -m pip install --upgrade pip` instead?

---

> Unless you're using a Linux distro Python that has been patched
> to inject the external pip installation with rewheel or dirtbike,
> getting a venv that uses the externally updated version of pip
> requires running
> `python3 - m venv --system-site-packages --without-pip ...`.

FWIW, "rewheel" is no more: Fedora now distributes the wheels themselves, and patches system ensurepip to look in /usr/share/python-wheels/.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue37107>
_______________________________________