#pip

what version did pip start supporting self-referential extras? e.g.

[project]
name = "pkg"

[project.optional-dependencies]
all = ["pkg[a]", "pkg[b]"]
a = ["..."]
b = ["..."]

I'm disappointed I don't know the answer to this question off the top of my head as the pip issue tracker stalker I am :p

I'll go check.

probably with the resolver if I had to guess

pip 20.2 and before simply ignore the [self-referential] extras (only testing 20.2, since I'm on macOS 11)
pip 20.3 to 21.1 fail by looking at all older, online versions
pip 21.2 & 21.3 work correctly.
from @willow flicker https://github.com/pypa/pip/issues/10393#issuecomment-941885429

so I guess support was unintentionally added in 21.2, unless I'm missing the issue where support is made official?

thanks!

I can't find a changelog entry mentioning self-referential extras so technically it was just the byproduct of some other resolver changes

I want to document this in Hatch, so to be safe https://github.com/pypa/pip/issues/11296

good call 👍

Hey folks, I'm doing a write-up of how people can test the new truststore feature to give us lots of data points. Unfortunately there's a chicken and egg scenario at play! If someone can't install pip and truststore from PyPI because they have a corporate proxy certificate how do they receive the update safely without having to manually do a bunch of stuff.

Unintentional in the sense that we didn’t explicitly knew we fixed it, but self-referential dependencies is something that should just work with proper dependency resolution, so some fix in the resolver did the job

oh that’s me!

Quoting myself from work Slack:

pip install -U pip has been the solution of so many installation problems; it’s the “have you tried turning it off and on again” of Python

:)

@shy echo re https://twitter.com/pradyunsg/status/1551904256743145474?t=7X1A_DIRjjwAmHT-tGUwqQ&s=19

What about it? :P

I was surprised to see support was already there! I tried it out and found

https://github.com/pypa/setuptools/issues/2816#issuecomment-1154370948

Newer versions of setuptools have it. :)

Whaaaat

Check the end of the issue.

https://discuss.python.org/t/help-testing-pep-660-support-in-setuptools/16904?u=abravalheri

That wasn't there before 🤣

Yes, but it works with setuptools still -- assuming you have a placeholder setup.py?

Oh yeah with the placeholder

But if you don't have a placeholder it doesn't work

What I'm saying is I don't understand what you're trying to say in your tweet

Not that you are wrong

I'm saying other than this setuptools mess, everything works.

Yeah that's what I thought you meant

The only configuration that doesn't work is trying to do an editable install with setuptools without a setup.py file.

Using flit / poetry or anything else works.

Using setuptools with a placeholder setup.py works.

Yeah it all works great dunno why people are so tilted about it

And, now, with the next setuptools release, even setuptools without a setup.py will work.

I don't know.

I also don't know why they are complaining that python -m build doesn't generate an editable wheel.

I mean maybe you want that in tox

Eg tox might want to build an editable wheel once and install it editiably in different places?

Probably not though

In that case, tox is lacking support for modern Python packaging standards, not build. See also tox 4. :)

Yeah I mean the usecase is what? build an editable wheel then send it over the network somewhere and install it editiably there?

It doesn't make sense.

I mean it's a cool trick

Like, it has paths and stuff, from the machine it was built on.

It's stupid, and the fact that it's a wheel is purely an implementation detail.

Tbh it might work for dask/distributed

yeah so you build an editable wheel on one dask worker then install it into the rest of them

The user will/should never see the wheel.

And, by user, I mean anything that's not a packaging tool -- a build frontend or build backend.

Assuming your workers are all on the same machine, sure.

Otherwise, this won't make any sense.

pickle doesn't work right if they're not all identical

Again, I'm not sure why you want to even try that.

IMO it doesn't make sense to think of "editable wheels" as a thing you want to use ever.

Well

It's a transient file, for pip to get from setuptools/flit whatever to unpack for development workflows.

Anything else related to distribution -- use a wheel that's actually meant for distribution -- AKA wheel -- that actually contains all the relevant files.

Yeah I'm really just trying to work out what Samuel's usecase is

🤷🏻‍♂️

I'd rather wait for a response.

Anyway, I gotta actually go do work stuff now. :P

People are still doing stuff like going all the way to EuroPython and getting up on stage saying urgh packaging what a mess

And I don't get it, it's basically all fixed now was my understanding

People do what they gotta do.

And, the maintainers of Python packaging tooling are doing a poor job of communicating things. It's not that our users are dumb -- you can't know something unless someone tells you about it.

Lightning talk title: "stop saying packaging is a mess"

I think if someone goes out their way to say something is a mess they should at least check if it's still a mess or not

It's a reputation built over decades. It'll take more than a lightning talk to fix it. :)

But, that's a good start.

At pyconuk they banned saying other languages are bad

And it did a lot of good tbh

I sneak some of this into my future talks.

?

"Python packaging is not a mess" or something like that.

OK, I think I have a blog post somewhere about all this.

Oh yes, a local draft with:

# On "Python Packaging is a mess"

Honestly since distribute went away it's been fine

FYI published an article soliciting feedback on the new pip+truststore feature: https://sethmlarson.dev/blog/help-test-system-trust-stores-in-python

Nice! Thanks for doing that!

Is the plan to vendor truststore?

Once we're more certain about the implementation working broadly it'd be good to vendor. We don't want to put any pressure on pip to release sooner to get fixes for our early stage library.

https://github.com/pypa/pip/issues/11038#issuecomment-1140873774 yep I just checked. Sorry I should have done that first

With truststore in would you consider support for hsts no-user recourse?

Eg --use-feature=truststore --trusted-host=whatever seems like a bigger foot gun than just --trusted-host on it's own

Well, there was what felt like a yearlong discussion to update one guide on packaging.python.org and nobody could agree on anything

I suggested once on the same tracker that setup.cfg is a poor substitute for setup.py and someone asked to see my credentials >.>

There was a time it’s close to impossible to change anything (other than the PyPA specifications) on packaging.python.org; it’s considerably improved recently though

Also question about notifying people, wasn't there a distribution channel for UX improvements and experiments? Is that channel still open or available or is there something like it?

um

there was a mailing list opened for PyPI at some point, that I don't know if anyone ever really used after warehosue launched, and I don't remember if it was specifically pypi or if it was for pypa

looks like it was maybe intended for pypi only

I don't think that channel is widely used enough to be helpful 🤔

https://mail.python.org/mailman3/lists/pypi-announce.python.org/

Yes and no? It's low cost to use it probably, and the only way a channel becomes widely used is to start using it, but maybe we don't really want to use it ever and that's fine too

Speaking of announcements & discussion, I am surprised to see no comments on this discussion topic: https://discuss.python.org/t/towards-a-pip-audit-subcommand-for-vulnerability-analysis-management/17681

Would appreciate feedback or any statement of support from folks here before I start to loop in a wider audience.

I have a draft, that I haven't posted yet. I'll finish that now. :)

IMO, PyPI needs a blog, but maybe a better idea would be a shared PyPA blog for making announcements about projects. Would folks want that?

I actually want all projects to have a per-project blog, on their Sphinx documentation site.

That's something I'm working toward, FWIW.

Just missed this would be nice to have an "important" feed 😄 where user questions can be split from maintainers questions? 😄

Can we have a Packaging-Maintainers and Packaging section in discuss, where new topics can only be opened by PyPA maintainers? 😄 something like that

Why?

Some quick handy examples:

• https://squidfunk.github.io/mkdocs-material/blog/
• https://reactjs.org/blog/all.html/
• https://python-poetry.org/blog/
• https://getdoks.org/blog/

I want to subscribe to get notified of packaging maintainers new topics, but not get spammed with users packaging questions 🙂

from experience with Poetry, you might want to include some sort of RSS, so people can subscribe to it. We often get issues about something not working just because people missed info on blog about new release

I could imagine a per project blog, and then a planet instance that collates them... or just setup a shared blog and let people categorize posts into projects

the latter might be nice because some things span multiple projects

yeah could use labels to mark posts differently

All of these have RSS, as far as I know.

seems like we actually have RSS on Poetry XD didn't even know that

main reason I'd lean towards a shared thing, with tags/categories/whatever is that I think there are two kinds of people:

• People who want to subscribe to all packaging news
• People who want to subscribe to some subset of packaging news

and disjoint blogs makes the first one a lot harder to do

and I suspect the first one has more people in it

FWIW, I don't think it's either/or. My mental model is:

• Have a single "main" blog under packaging.python.org for the first group.
• Each project gets its own blog for doing whatever it wants, which... should cover the second group.

And the main blog would not be for release announcements, but rather things like communicating deprecations, funding, calls for testing etc.

or, the "main" could collect entries from every blog and just repost them

I'm gonna be blunt -- I think that completely dilutes the utility of it.

IMO the main blog is best served as a summariser and major announcements channel, doing things like quarterly newletter style summaries for the community (which would be where we link to the individual project's blog posts) and also serve as places where we make broad wide-ranging announcements that affect users "Distutils is going away in Python 3.12 and here's what you need to know" or "Editable installs are implemented all the major backends in the ecosystem".

Basically, right now, the PyPA does not have a broad communication channel to users. I want these blogs to serve as that.

And, because I'm dumb like that -- I decided to scope this as "Make this possible for the entire Sphinx ecosystem".

I guess I personally don't see a ton of value in every random pypa project having a blog, but I'm also not opposed to projects having a blog if they think it would be useful

Yea, well, they'll have the option to have one -- they don't need to do that.

And, I don't think it makes sense for all of them to have it either.

I would probably suggest the "main" blog might be better off living under pypi.org somewhere, if only because that's the most visible and well known URL that people have to associate with Python packaging, and it wouldn't be hard to throw up a blog.pypi.org or whatever that just auto deployed from some GH repo

TBH, between packaging.python.org/blog/ vs blog.pypi.org, I prefer packaging.python.org -- not least because that's under python.org and also because I'm expecting that when I do come around to this, I'll have the bandwidth to push for a major facelift for all of packaging.python.org as a whole.

(and docs.python.org, but I digress)

(I also dislike the packaging.python.org url altogether, so that may just be bias on my part 😛 and I find the difference between what content is on pypa.io and packaging.python.org to basically be a coin toss on whichever spot someone randomly stuck something at some point)

Broadly though, I don't think there's any value to being under python.org really, and for the vast bulk of programmers they'll never interact with packaging.python.org (and those that do, likely won't once they're experienced), but they will almost certainly interact with pypi.org

Well, that's precisely what I want to change. :P

And, making pypa.io / packaging.python.org clearer is also on my TODO list around all this web presence stuff. Part of the problem that I decided that the first step in that is writing a Sphinx theme, and I keep scope-creeping that.

I don't think you can change the second half of that? Like there's basically no content you could put on packaging.python.org that would make it something the average python dev is visiting regularly. You can certainly clean up the mess between pypa.io and packaging.p.o though

Right now, yea, we don't have much.

I do think we will once we start doing a regular aggregated "Python packaging update" and stuff like that.

(If I had my druthers, we'd just move packaging.p.o to guide.pypi.org or so)

And, I would protest very strongly.

😛

I'm curious why, the way I see it we get basically no value from hanging off of python.org, and it just causes confusion as people bounce through like 17 different locations for things. Like it or not, pypi.org is basically the web presence for python packaging for the vast bulk of Python's users, and anything that directs them off site or lives at a different location tends to feel surprising IME

there's packaging.python.org, pypa.io, pypi.org and pypi.io

it's always been a bit headspinning though p.p.o makes sense historically

There's no pypi.io?

But, the point stands. :)

there is, though it should only be for internal stuff

I don't think we've made any public urls using that

Or, I guess we have not-for-public consumption stuff on {thing}.pypi.io

People depend on it publicly as well 😆

https://github.com/pypi/warehouse/issues/11934

(well, if my memory is correct, we didn't own pypi.org at first, and started out using pypi.io, so maybe there's still some old nonsense running under pypi.io)

First mention on the issue tracker is 4 days old

Yup.

(Using the redirects)

We learned the hard way with Poetry that if you ever let people depend on something, they will scream when you try to fix the thing they never should have depended on

Changing the branch name of poetry-core resulted in multiple people screaming we broke their company's production infrastructure within 30 minutes

Hmm... @hoary mist we ought to not be serving files to pypi.io?

it's relying on the redirect

we should probably kill that at some point

Because they had hardcoded the branch name despite the fact that's an incredibly foolish thing to do

If you do they will scream 😛

Yea, exactly.

 curl -I https://pypi.io/packages/source/d/dask/dask-2022.7.1.tar.gz
HTTP/2 301
server: Varnish
retry-after: 0
location: https://pypi.org/packages/source/d/dask/dask-2022.7.1.tar.gz
content-type: text/html; charset=UTF-8
accept-ranges: bytes
date: Tue, 26 Jul 2022 20:07:54 GMT
x-served-by: cache-ewr18170-EWR
x-cache: HIT
x-cache-hits: 0
x-timer: S1658866074.122264,VS0,VE0
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: deny
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-permitted-cross-domain-policies: none
content-length: 122

it's just a global redirect of pypi.io to pypi.org to deal with the rename from pypi.io to pypi.org when we got adhold of it

Hm... I think we should kill that ASAP.

If you're going to kill it I'd suggest escalating brownouts over a period of months with the reason why in the error response

Unless you want to tell people relying on it in prod that it's their fault and to adapt 😛

yea, we'll probably want to manage the killing of it

We moved from python.pypi.org to pypi.org, and it was only pypi.io for some time before that.

fun fact, we've moved from python.org/pypi to pypi.python.org to pypi.io to pypi.org

that's why you still see /pypi in a lot of the urls

Heh.

https://github.com/pypi/warehouse/issues/2184

Oh yea! I think a lot of people over here empathise with shit like that.

People do all kinds of stupid things, and expect it to work and act entitled when they do things out of contract that break.

Yes, I know hyrum's law. :P

I see you typing @hoary mist.

anyways, somewhat of a diversion. I'm not planning on doing any work on it, so it's not really up to me, but from my POV there's basically a 0% chance PyPI ever moved back under a python.org domain name, for a variety of reasons, but the big one being there's too much garbage on python.org that could be used to attack PyPI.

Given that, and given the fact that for most python devs, the action they visit the web for the most related to Python packaging is to look something up on pypi, I think that for the bulk of people, whatever URL PyPI is at, is their web interface to python packaging whether we like it or not, and we can either embrace that or we can fight it and add additional friction for those users (though obviously not world ending friction or anything).

Oh yea, I don't definitely want PyPI to move under python.org.

https://twitter.com/textfiles/status/1551719722064003072

Yea, I don't think you did, I was just establishing that as fairly immutable fact, since my premise is that I think there's benefits to unifying these things under a single web presence 🙂

are we going to release this fix soon? https://github.com/pypa/pip/pull/11298

I love this new version prompt, looks so nice 😄 @shy echo

So many colours

it shouldn't mislead new users when they encounter installation errors now

Needs more emojis

nO.

🧐

fish + starship is a nice combo

I use xonsh + starship, love it 🙂

This old man has no idea what you're both talking bout 😮

shells: https://github.com/fish-shell/fish-shell | https://github.com/xonsh/xonsh
prompt: https://github.com/starship/starship

You only use bash? 👀

I use starship and zsh, starship is nice

... should we move to #off-topic btw?

it's just a prompt written in rust instead of in a bunch of crazy shell scripts

are we going to release this fix soon? https://github.com/pypa/pip/pull/11298

soon, yes

and this is how it looks on GitHub Actions! 🦓 😅

Yay! It all works on other people's computers!

And, I appreciate the positive feedback. ^.^

also looks good in my local (iTerm2 + liquidprompt)

GHA supports color, though. 😦

yeah, but it's not a tty so most tools rightly don't auto-enable. need to use something like FORCE_COLOR. hopefully Rich will add support soon: https://github.com/Textualize/rich/issues/2425 🤞

Is there any way to hook into "This is likely caused by a bug in x. Report this to its maintainers. Installation Failed"

I want to be able to flag that my sdist won't build because the platform is unsupported

Eg this issue https://github.com/MagicStack/uvloop/issues/483

I don't think there's anything different you can do. If you have suggestions for changes to the generic message that pip's printing, I'd be happy to hear them!

Just wondering loud, perhaps we could use a special string (like heredoc) to communicate “this is an expected failure, just show strings between the markers instead of a full traceback”

@lunar gyro Anything about pip's sysconfig location logic, that I should not move to installer? I'm thinking of synchronising the two, and start looking into making pip use installer at some point.

Nothing you shouldn’t move, I think. There are things that probably don’t need to be copied (e.g. the weird special cases pip keeps for compatibility)

apropos of nothing: does pip make any guarantees around the handling of "yanked" releases between multiple indices? for example, if a third-party index is specified ahead of pypi.org and marks foo==1.2.3 as yanked, will pip honor that marker or will it attempt to install the non-yank-marked version from pypi.org?

metadata from index A does not confer to index B

pip basically generates a list of files, and each file has metadata attached to it, from the index it is associated with

I appreciate pip trying to give a nice error, but it's wrong in this case:

WARNING: Skipping page https://pypi.org/simple/setuptools/ because the GET request got Content-Type: Unknown. The only supported Content-Types are application/vnd.pypi.simple.v1+json, application/vnd.pypi.simple.v1+html, and text/html
ERROR: Cannot install setuptools>=40.8.0 because these package versions have conflicting dependencies.

The conflict is caused by:
    The user requested setuptools>=40.8.0
    The user requested (constraint) setuptools==65.0.0

To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict

ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

This network flakiness is hitting 50% or so of the cibuildwheel Azure CI runs in the last week or so.

I wonder if pip could provide a custom error if no versions were resolved, instead of saying the constraint caused it?

is this also a warehouse bug? or some cache eviction problem?

This is a (known?) Warehouse bug but the error message is still off. There are already some special case errors but apparently this is not covered 🙂

If you're able to reliably hit that, I would be interested in getting the content of that response

Is there a consistent way to reproduce this error?

It was happening fairly often (50% of the time or so), but now it seems to be happening less. Last few PRs didn’t have a problem.

If you can run pip with max verbosity and with --debug, that might provide more context?

What's the most user-friendly place that explains pip installing extras / optional dependencies?

I don't think we have good docs around that. The only major mention I see is https://pip.pypa.io/en/stable/reference/requirement-specifiers/#overview

Greetings! I'm wondering if the following is supported by --index-url file:///path/to/folder
I have a /path/to/folder where every subfolder is a pip installable directory with setup.py,cfg and a pyproject.toml. Can I tell pip to treat this folder as an on disk index? It seems to search for an index.html

hi @shy echo 🙂

For context, I have a monorepo containing both applications and libraries. I want to formalize how the internal libraries are hosted by defining a folder to serve as a index for a flat list of libraries and I want said libraries to refer to each other by name (not by path).

👋🏻

Index URLs (and find-links) expects distributions files (i.e. sdists and wheels) as the references, so... I don't think you can do that.

I seem to recall there’s a hack for that. Try --index-url path/to/folder

yeah, except the folder must have subfolders named after normalized package names, each containing an index.html per PEP503 and all files under the subfolder should be tar.gz and whl

Ah right, I think only find-links can be real flat directories

I guess a generator would be useful, static site generator but instead of blog it creates a Simple API index

Simpleindex does this but it’s dynamic https://github.com/uranusjr/simpleindex

I was gonna say: you can probably write a plugin for simpleindex, that does what you want.

The built-in path route should support this

[routes."{project}"]
source = "path"
to = "/path/to/containing/directory/{project}/"

Well, that won't deal with not-normalised names tho?

Not a problem unless you’re doing something weird. pip normalises the package name when making the request and this is mentioned in PEP 503

Repositories MAY redirect unnormalized URLs to the canonical normalized URL (e.g. /Foobar/ may redirect to /foobar/), however clients MUST NOT rely on this redirection and MUST request the normalized URL.

Right, but the folders don't have normalised names TP!

(I'm guessing)

Just run a script once to create symlinks and get on 🤷‍♂️

XD

@glacial meadow ^

:P

But I think if you’re maintaining a repo anyway it’s probably worthwhile to just generate those index.html instead (and maybe use CI or something to keep them in sync)

You see the problem is - I must have .tar.gz or .whl as links in the index.html
I've been trying to avoid it somehow...

Maybe a better questions to ask would be - do you have any examples of a Python mono-repo that contains a collection of libraries that may have dependencies on each other and how these dependencies are expressed in metadata

Hmm... is there a syntax that would let me say
/ libraries
/ foo
/ moo

and in foo metadata I want to say "foo depends on moo", so that when I pip install foo it installs moo too

I don't seem to find any way to do it via setup.py / setup.cfg or pyproject or even with poetry. To be more specific https://python-poetry.org/docs/dependency-specification/#path-dependencies gives me an invalid URL and I also found https://peps.python.org/pep-0440/#direct-references but it looks a little crazy

I must have .tar.gz or .whl as links in the index.html
What’s wrong with href="./mypkg-1.0.tar.gz"?

I don't seem to find any way to do it
Hatch allows this, see "Tip" in https://hatch.pypa.io/latest/config/dependency/#local

the problem is that he doesn't have source distributions generated

he just has project folders from which you can build those

I'm guessing he would maybe want the index to auto-build those on request? I'm not sure on that

Ah so it’s just a collection of source trees? I know Frost (maintainer of pipenv, pdm etc) is working on something for this use case. Never had a chance to try it myself tho https://github.com/frostming/monas

We made an issue about the occasional error: https://github.com/pypa/cibuildwheel/issues/1254 - it may be related to running our tests in parallel.

This has been happening occasionally since a while ago but nobody’s been able to pinpoint the actual cause yet https://github.com/pypi/warehouse/issues/12088

pip is doing what it’s supposed to do (rejecting a response with incorrect Content-Type) but something is broken in PyPI and it sends an invalid response from time to time

I wonder if it would be helpful for pip to print more content, like the entire header or something like that.

Adding it to -v is probably a good idea

Yea, that is what I was thinking.

being able to see all the headers an even the response body would be amazing

is there any interest in combining --prefix with --platform, --abi, --implementation, and --python-version?

I am attempting to use pip to create a venv for a different interpreter version, and one sticking point is that I can only use these versions with --target

I can set that to the platlib/purelib of the venv, but I don't get scripts as a result (looks like they get thrown away)

No, but there's a new --python flag to manage packages associated with a different executable on main.

I guess, I shouldn't say no, but no one has expressed interest in diving into that specific can of worms. :)

for the same reason as pypa/installer, I'd advise against this

IMO passing the correct interpreter is by far the best approach

--python does seem like the long term path forward -- I was only looking at released versions of pip and thus did not encounter it

is it possible use PIP_CACHE on a distributed file system (like, s3 storage on databricks' dbfs) to save on pypi download bandwidth?

you could use a FUSE mount

like (if on k8s) https://github.com/ofek/csi-gcs

When is next pip release planned?

sometime in October, see https://pip.pypa.io/en/stable/development/release-process/#release-cadence

Thanks, missed it somehow

fyi https://github.com/twisted/twisted/pull/11656#issuecomment-1282855123

Yea, needs the packaging release.

:/

Perhaps something for the pip team to check? https://github.com/python/cpython/issues/98682

https://github.com/mesonbuild/meson-python/issues/186#issuecomment-1296840092

Did the expectation change about pip supplying setuptools under pep517 if no build backend is indicated?

I'm no longer able to build mercurial without setuptools pre-installed.

https://gist.github.com/c1617d9179a4e390296d5fc469742e27

Can you try 3.9? There’s a bug specific to Homebrew-distributed 3.10 regarding build isolation

Ah, yes. That works.

https://github.com/pypa/pip/issues/11053

Thanks.

This may fix the issue https://github.com/pypa/pip/pull/11598

Confirmed that fixes the issue: https://gist.github.com/c1301b607507706fc276df134374e30e

Are there any plans for pip to support reading certain configuration settings from pyproject.toml? I'm thinking specifically about --index-url, --extra-index-url, --trusted-host, possibly others, and disabling pypi.org.

Not at the moment, partly because no one has asked for it.

If they have, then I haven't seen it yet. 😅

I was thinking along the lines of what PDM does: https://pdm.fming.dev/latest/pyproject/tool-pdm/#specify-other-sources-for-finding-packages
and extrapolating to other tools (e.g. hatch) which require you to configure these as pip environment vars in your pyproject.toml. Rather than [[tool.pdm.source]] which is of course PDM-dependent, it seems like this could be one simple area of standardization. If pip doesn't currently support this, maybe it shouldn't even be [[tool.pip.source]] since it's possible for other mechanisms to be used.

I haven't really thought about this in much depth, but it would be helpful for bringing more things to pyproject.toml. E.g. the envar settings for hatch are less optimal, IMHO.

pip already supports configuration files, I wonder if it makes sense to support $PROJECT_DIR/pyproject.toml where $PROJECT_DIR is user supplied (e.g. pip install --project=.). This same $PROJECT_DIR value could also be used in say, requirements file.

Is there a way to have stable links to a specific version of https://pip.pypa.io ? the switcher only allows stable and latest and trying to guess the url with a version in it also didn't work

You can see all available versions here: https://readthedocs.org/projects/pip/versions/
Looks like latest and stable are the only available versions

that's a pity, thanks anyway

Any specific reason you want that?

mixture of stable links to doc section headers and a bit of archeology what pip version had which behaviour

You could build the docs fairly easily, if you're willing to write a script that clones the repo and checks out tags and runs sphinx-build docs/html build/html/{version}/

yep the nox task is also really nice :)

Project I came across that might be useful during that archaelogy: https://github.com/steinwurf/versjon. Haven't used it, can't specifically vouch for it, but might make version-switching among local builds easier.

Hey folks, regarding truststore: is there any appetite for switching to using the library by default (vendoring and using truststore+certifi on Python 3.10+, on 3.9 or earlier fallback to only certifi)? The library currently is still marked as experimental, but with the go-ahead that we'd be used by pip we would push to make the library "stable" (which from an API-POV it already is)

I'm hitting a cycle; any docs on how to debug?

docker run --rm -t python:3.8 bash -c "git clone https://github.com/DataDog/integrations-core;cd integrations-core;pip install -e ./datadog_checks_dev[cli]"

https://github.com/DataDog/integrations-core/pull/13477 but no idea why that works

is there a way to instruct pip to install a universal2 wheel instead of x64/arm?

Not at this time, no.

alright, thanks

OK, I guess you could pass in that wheel directly; I'm guessing that's not what you wanted tho. :)

Could combine with pip download to do it fully from cli I imagine?

@shy echo, any chance we could get a patch release of Pip with https://github.com/pypa/pip/pull/11598? I'm seeing a number of issues on projects about homebrew Python not being able to build anything but setuptools packages. Given I'm heavily involved in trying to provide PEP 517 replacements for setuptools, it's very damaging to have PEP 517 builds broken (but setuptools works). It affects things like hatchling, meson-python, scikit-build, cmake, ninja, pybind11, ... (though it disproportionally affects binary builds of packages, since it's easier to provide a wheel for pure Python to avoid the source build)

Current workaround is to always provide binary packages or use a virtualenv. I don't think homebrew's pip can be patched to include this, because then pip install -U pip would revert to the broken pip.

While we're asking for new pip releases (and I know it's the top of the dependency stack), I would really like to get back to removing old APIs in Python 3.12, but need this to be resolved first: https://github.com/pypa/setuptools/issues/3631

File an issue? Paul's the RM for this cycle; and he's pretty hesitant to cut a release.

(last I checked)

Reg 3.12... @twilit mantle I'm not sure what to do to help move that forward TBH.

Scratch that, I'll file this issue.

Thank you!

Trying to line up my EOY-nobody-at-work hacking project, so it's either that or https://rustpython.github.io/ !

FWIW, how bad is waiting for a couple of weeks or so for the pip release at this point?

We're gonna cut one in Jan, and I've got a bunch of "ugh, hack" removal plans for the next little while.

Naw it's all good. It's a blocker and yes, I would like to make more progress on the CPython work, but not at the expense of putting unplanned or hacky work on your plate.

Does pip use any of those deprecated APIs, aside from pkg_resources? We are transitioning away from that module entirely and the file is only kept for compatibility. If the usages are all in pkg_resources, we can add a check to ensure the compat code path is never reached on 3.12 to prevent crashes.

https://github.com/pypa/pip/pull/11661

how brave it would be to use a pinned extra that locks dependencies so users that want to the exact versions that were using during testing of that package instead of the relaxed ones? Is that doable?

It's... fine.

As long as its not pinned by default. At that point, airflow-style constraints files aren't a bad idea either.

One of my concerns is that current I use pip-compile to keep track of the pinning, as pip-tools is not able to update pyproject.toml file, so I would have to add a feature in pip-tools to be able to update pyproject extra deps... not really a single day job.

(-c URL)

it would be so awesome if python packaging would be able to include lock files.

Yea, one day. :)

yep, I was considering getting them from the URL but the problem is that I do not know the exact version. Dependabot would not be able to update my URL. I would have to do some ugly hacks to parse a lock file, extract pinned version and set an envvar, ones that later I would use inside tox to set the constraint file.

At this point the chain start to look as something over-engineered and likely to break.

I'm not too keen on this living in pip-compile TBH.

I can understand why. Btw, thanks for the the ideas.

You can always make extras list a dynamic field and then you can just read lines from the requirements file and dynamically set extras list. Unless you're using flit or some other backend that doesn't allow dynamic metadata

+1 but the fate of PEP 665 doesn't give me too much hope

I am using setuptools-scm ... not sure if that allows it.

setuptools-scm is just used for generating version number for your package, deps don't matter

You can just read requirement files in setup.py and declare extra deps dict from there

+1, and if there's more to discuss, #setuptools_scm plz. 🙈

In other pip news... https://mastodon.social/@pradyunsg/109562673145962201

(I think #general will probably make more sense since it doesn't seem related to setuptools-scm)

(but yeah, should not discuss it here :))

Hmm, I don't like it

Tell me why on Mastodon, if you have an account plz. 🙈

Will do

Thank you! ^.^

Will save it for later

hey, I am writing a parser for PyPI API, basing it on pips parser. does anyone know how why this parser looks for base tag? it doesn't look like something from Simple Repository API PEP 503. Is it some legacy stuff or am I missing something?

What line are you looking at?

Ah, sorry, forgot to put the link: https://github.com/pypa/pip/blob/c4566c6c828fa7b41f5656d30c6375a494d73ded/src/pip/_internal/index/collector.py#L299

I mean, I could guess what it is from the code, but this doesn't look like any PEP/spec I have seen, so I don't know if it's me missing something or pip doing something for legacy reasons or sth

~Legacy reasons for sure.~ I was wrong, it's HTML weirdness.

Great

https://github.com/pypa/pip/commit/6697d7e3d5b5a6950dfbb831823062523e871489

#19 is likely a reference to ianb's bitbucket, rather than GH.

IIUC, it's for compatibility with the HTML spec.

Since HTML supports setting a base tag that changes how URLs are resolved.

So, I guess I'll retract what I said earlier -- it's not legacy reasons but "HTML is a bad data exchange format" reasons. :)

The warnings here are quite confusing:

Collecting multidict==6.0.4
  Downloading multidict-6.0.4.tar.gz (51 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 51.3/51.3 kB 717.9 kB/s eta 0:00:00
  Installing build dependencies ... done
  WARNING: Missing build requirements in pyproject.toml for multidict==6.0.4 from https://files.pythonhosted.org/packages/4a/15/bd620f7a6eb9aa5112c4ef93e7031bcd071e0611763d8e17706ef8ba65e0/multidict-6.0.4.tar.gz.
  WARNING: The project does not specify a build backend, and pip cannot fall back to setuptools without 'wheel'.
  Getting requirements to build wheel ... done
  Installing backend dependencies ... done
  Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: multidict
  Building wheel for multidict (pyproject.toml) ... done
  Created wheel for multidict: filename=multidict-6.0.4-cp310-cp310-linux_x86_64.whl size=113460 sha256=9df21d0f626349e99094ca79f4edb9257de4141c4491220089a1d7fef83f43be
  Stored in directory: /home/ubuntu/.cache/pip/wheels/ae/d2/13/61a3897335dd417ee80bcf70d39fea8eda1f7761d28d5547f5
Successfully built multidict

for a project with this configuration:

[build-system]
requires = ["setuptools >= 40"]

when running pip install multidict==6.0.4 --no-binary multidict in a venv that has latest versions of pip and wheel.

I can report this on the issue tracker but I'm not yet sure what the message is trying to say here.

Pip is trying to tell you to specify a build backend in project.toml so it can do a pep517 build, or to install the 'wheel' package so it can run setup.py bdist_wheel

wheel package is present

that's what's so confusing about it to me

As for specifying the build backend, I do agree it should be there and made according PR to multidict lib, I was just wondering if this warning could be improved in some way.

Hm, indeed. That's confusing because it is building anyway.

unless it's that rare case of where you would actually need wheel in build-system.requires (assuming that for whatever reason you don't want to specify build-system.build-backend

yeah, that too

Yea, that warning can be removed now.

setuptools injects that nowadays and we don't have any semantics to "pick older version" for build backends anyway.

should I just drop wheel from here and keep the warning? It would seem that we would still want to make sure that setuptools>=40.8.0 is installed in the environment but can skip wheel since setuptools will inject it if it's present
https://github.com/pypa/pip/blob/c4566c6c828fa7b41f5656d30c6375a494d73ded/src/pip/_internal/pyproject.py#L159-L173

wheel was returned by get_requires_for_build_wheel even in the initial implementation of pep517 (https://github.com/pypa/setuptools/commit/b59076e9f12c295aca42927f2a544e46fd31f386) so it should be fine

Perfect.

is there a way to just call pip dependency resolver and get a resolution, without actually installing all the packages? or alternatively, is there a way to get timing numbers just for the resolver? -vvv didn't say anything

--dry-run + --report

that's perfect, thank you!

Am I remembering incorrectly, or is there now a command in pip now that I can run to do a resolve w/o doing the actual download/installation of a project (or at least its dependencies)? I'm asking as I would like to know if I were to say py -m pip install --platform any --python-version 3.11 --implementation py --abi none --only-binary :all: to check if a certain package will only pull in pure Python wheels? (Otherwise I will end up needing to write a custom resolver, I think.)

  --dry-run                   Don't actually install anything, just print what would be. Can be used in combination with --ignore-installed
                              to 'resolve' the requirements.

?

using --dry-run with --report might be useful too

if you are okay with only wheels being considered, https://github.com/FFY00/python-resolver does this

sdist support is a bit trickier

this package is very early btw, so beware

I'm not only okay with it, it's all I want. But I only want pure Python wheels considered.

I'm getting some odd errors when trying to just do the resolution: PIP_REQUIRE_VIRTUALENV=0 py -m pip install --dry-run --report --only-binary=:all: --implementation=py packaging says ERROR: When restricting platform and interpreter constraints using --python-version, --platform, --abi, or --implementation, either --no-deps must be set, or --only-binary=:all: must be set and --no-binary must not be set (or must be set to :none:).; Since I set --only-binary I don't see what I'm doing wrong here. And this is after I got odd errors when setting --abi none and --platform any as well.

Yeah, something odd is going on. PIP_REQUIRE_VIRTUALENV=0 py -m pip install --dry-run --report --only-binary=:all: markupsafe says it will install MarkupSafe-2.1.1.tar.gz which is not a wheel.

(This is with pip 22.3.1 and 3.11.0 .)

FWIW, I attempted to reproduce the above in a fresh Conda environment on Windows with just python=3.11 using the same pip 22.3.1, Python 3.11.0 and invocation, except without --report (and with python instead of py in a Conda env), but I get the desired result:

$ python -m pip install --dry-run --only-binary=:all: markupsafe
ERROR: Could not find a version that satisfies the requirement markupsafe (from versions: none)
ERROR: No matching distribution found for markupsafe

However, if I include --report, I get the error ERROR: Could not install packages due to an OSError: [Errno 22] Invalid argument: '--only-binary=:all: . This happens no matter how I try to quote the argument, with either single, double or no quotes around either the value or the whole arg, and occurs on both Git Bash and the default cmd.exe. The -vvv output immediately preceding the error was:

Using cached wheel link: file:///C:/users/c.%20a.%20m.%20gerlach/appdata/local/pip/cache/wheels/96/ee/62/407c247ad088bcb67b530ba3ac1479058c58a651bd6bf09a1f/MarkupSafe-2.1.1-cp311-cp311-win_amd64.whl
Collecting markupsafe
  Using cached MarkupSafe-2.1.1-cp311-cp311-win_amd64.whl
  Added markupsafe from file:///C:/users/c.%20a.%20m.%20gerlach/appdata/local/pip/cache/wheels/96/ee/62/407c247ad088bcb67b530ba3ac1479058c58a651bd6bf09a1f/MarkupSafe-2.1.1-cp311-cp311-win_amd64.whl to build tracker 'C:\\Users\\C. A. M. Gerlach\\AppData\\Local\\Temp\\pip-build-tracker-mo6ff3ks'
  Removed markupsafe from file:///C:/users/c.%20a.%20m.%20gerlach/appdata/local/pip/cache/wheels/96/ee/62/407c247ad088bcb67b530ba3ac1479058c58a651bd6bf09a1f/MarkupSafe-2.1.1-cp311-cp311-win_amd64.whl from build tracker 'C:\\Users\\C. A. M. Gerlach\\AppData\\Local\\Temp\\pip-build-tracker-mo6ff3ks'
Created temporary directory: C:\Users\C. A. M. Gerlach\AppData\Local\Temp\pip-unpack-wc80ve6r
WARNING: --report is currently an experimental option. The output format may change in a future release without prior warning.
ERROR: Could not install packages due to an OSError.
Traceback (most recent call last):
  File "C:\Miniconda3\envs\py311-env\Lib\site-packages\pip\_internal\commands\install.py", line 415, in run
    with open(options.json_report_file, "w", encoding="utf-8") as f:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 22] Invalid argument: '--only-binary=:all:'

Looks like a bug in argument parsing, the code thinks --only-binary does not take an argument (it should)

Oh I see the issue; --report also needs an argument:

  --report <file>             Generate a JSON file describing what pip did to install the provided requirements. Can be used in
                              combination with --dry-run and --ignore-installed to 'resolve' the requirements. When - is used as
                              file name it writes to stdout. When writing to stdout, please combine with the --quiet option to
                              avoid mixing pip logging output with JSON output.

So when you do py -m pip install --dry-run --report --only-binary=:all: markupsafe it tries to interpret --only-binary=:all: as the output filename and fails. You need something like py -m pip install --dry-run --report=- --only-binary=:all: markupsafe (dash reports to stdout)

I can confirm that works, and I get the expected ERROR: No matching distribution found for markupsafe. Not sure about @lost hawk though, since he got different output from me on otherwise the same versions, invocation and platform.

When sending report to stdout you need --quiet too, because pip also logs partly to stdout.

Also keep in mind that --implementation, --platform,--python-version won't do what you expect if dependencies use environment markers (https://github.com/pypa/pip/issues/11664).

Especially since the --report flag is still tagged as "experimental", maybe worth improving the UX there by directing all log output to stderr when --report - is passed?

I don’t think it’s that worthwhile, if you want to redirect the output to a file you can just do that, if you output to stdout the format isn’t that critical since it’ll very likely be read by humans

Problem is that the report output on stdout gets mixed with pip logs. Actually pip logs should all go to stderr, but that's considered a breaking change, so not easy to change.

BTW, last bit needed to declare --report output stable is https://discuss.python.org/t/draft-pep-amendment-to-the-pep-610-direct-url-json-data-structure/22299

Oops, that was a typo—I meant all log output to stderr, not stdout

question: https://github.com/pypa/hatch/issues/701#issuecomment-1374874915

I don't know why virtual environments are sometimes on macOS getting scripts with a shebang #!/bin/sh and at other times properly with the virtual environment's Python

There's an OS level limitation on the length of the shebang, IIRC.

Or, maybe that's on some Linux systems?

Regardless, I'm 80% sure that's what's happening here.

oh that's why there's that weird long exec line

Yeah

😢

https://github.com/pypa/installer/blob/40be3febf76ec816a37c4b24165cc0a323576834/src/installer/scripts.py#L53

Is not pip, but similar/same logic IIRC.

oh it's due to spaces...

:)

wow there's so many layers to this particular issue

and now I understand the actual reason he says tox works: by default the current directory is used for storage and that user path is unlikely to have spaces on macOS

Yea, try adding a space to cwd and seeing if that fails.

(in docker, or MacOS)

Thanks for the help everyone! It looks like py -m pip install --quiet --dry-run --ignore-installed --report=- --target=/tmp --only-binary=:all: --implementation=py --abi=none --abi=any debugpy --python-version="3.11" packaging gets me what I want (a way to easily tell whether a package would even install for WebAssembly use); bonus is the JSON output means I can also log any of the dependencies as safe as well! (Drawback is it means work doesn't need me to write a custom resolver for this which would have gotten me work time for packaging.metadata 😉.)

One cautionary note: that doesn't handle/affect the marker evaluation environment

@lost hawk ^

So it's not an actual resolve then? Does it just throw out the markers and resolve purely on the package and version constraints (and so would try to resolve a macOS-only dependency)?

It uses the environment markers as inferred from the running interpreter.

https://github.com/pypa/pip/issues/11664

Darn/good, depending on whether you want me to have more work to do for WebAssembly or to help move lock files forward 😉

LOL

I think we need an environment-specification file for pip and implementing that + deprecating the existing filter flags might be the best mode of doing this -- i.e. this doesn't affect lockfiles but does affect pip's ability to generate certain lockfiles.

That's my next module for mousebender. Once we have packaging.metadata, I want to create a resolver where you pass in the marker/platform details and whether you want the most specific or compatible wheel file (and probably newest or oldest dependency). That way the resolve can be done for any platform on any machine. I have a topic on discuss.python.org where I asked about what platform info is needed specifically for this use case. If we end up wanting to standardize on a JSON format for storing such platform info I'm happy to help with that once I get to that stage

packaging.metadata looks promising

sounds like what I'm doing in my Bazel rules. I define target environments, then use those in conjunction with a Poetry or PDM lock file to generate a Bazel build file that uses Bazel's own multiplatform features to select appropriate dependencies at runtime. For example: https://github.com/jvolkman/rules_pycross/blob/main/examples/pdm/BUILD.bazel#L58. And that'll be used to select an appropriate wheel: https://github.com/jvolkman/rules_pycross/blob/main/examples/pdm/example_lock.bzl#L327

if you want to build on top of python-resolver lmk

I can add you to the project

or you can create a new one, depending on what exactly you want to do

Looks like resolver also uses marker values inferred from the current platform; maybe that’s a viable feature request?

Or I’ve always wanted to be able to do marker-agnostic resolution (all markers expect extras always evaluate to True)

isn't that what poetry and pdm do?

yes, it's a reasonable feature request

Then you will meet some packages that do really weird thing: https://github.com/ansible/ansible-lint/pull/2712
Is that solvable with resolvelib?

The python-resolver project (context of the conversation) is wheel-only so fortunately this hack won’t work

https://github.com/FFY00/python-resolver

Only supports wheels (no sdists!)

#pip message

The dummy requirement will also be encoded in wheel metadata and cause the (marker-blind) resolver to fail

yeah, the hack involves a project with only a single release that has been yanked, the yanked version will actually install fine if you were to try installing it with ==0.1.0

Thanks, I didn't even notice it does exist.

is there any way PyPA could align releases of packaging with pip releases? recent issues with new macos tags cause some problems in projects

Hmm... put that up on the packaging issue tracker?

Sure, I can. I just wanted to check if this is possible first 😄

I'm not a 100% sure how/what we should do to avoid this sort of problem TBH.

Regardless, having it be on not-behind-a-login and on a search-engine-indexed location seems like a much better place to have that discussion. It's not really a throwaway discussion.

sure

But, 100% agree that we should definitely think + try to do something about this.

Not sure if this is the best channel for saying this, but seems like the bootstrap.pypa.io cert has expired a few minutes ago 😱: https://github.com/pypa/get-pip/issues/178

I just confirmed this

Using pip itself isn't affected, but get-pip.py is having trouble now :/

Yea, I see that @frosty pier mentioned Ee.

Oh indeed

Thanks for flagging that here!

No worries!

Yipee! It's fixed!

Hey! I hope this is a good place to ask this question.
I would like to create platform specific URL dependencies using the pyproject.toml so that pip picks it up.

Simple example. This works, but the conditional one after doesn't. The example doesn't really makes sense with numpy, but I used it to quickly showcase it.

dependencies = [
    "numpy; sys_platform == 'win32'"
]

dependencies = [
    "numpy @ git+https://github.com/numpy/numpy.git@v1.23.5; sys_platform == 'win32'"
]

How would I go about doing this?

You need a space after the URL, before the semicolon.

trips me up every, single, time

packaging 22.0 should raise a better error here AFAIK though

Yup.

packaging.requirements.InvalidRequirement: Expected end or semicolon (after URL and whitespace)
    package @ https://example.com/; python_version <= '3.2'
              ~~~~~~~~~~~~~~~~~~~~~~^

But, still need to get to that upgrade.

Ahh, thank you!

isn't packaging 23 already out?

It is, but the copy vendored in pip isn't upgraded since it was blocked on setuptools. We're still blocked on a couple of tricky coupling issues.

I wonder if it’d trip people less if the space is always required, i.e. make numpy >= 1.23.5; sys_platform == 'win32' illegal for consistency

I wonder if the space should even matter. I mean, why require the space in the first place?

Semicolon is a valid character in URLs, without the space there would be ambiguity

I think we'll solve this with the better error message TBH

The thing I don’t like with the error message solution is it appears much too late for dependencies specified in pyproject.toml. But maybe that can be solvable if someone implements a pyproject.toml linter in the future.

Well, ideally, build backends would cover that base.

But I'm leaning more and more in the direction of "we have no validation/compliance enforcement in the tooling, and that's bad".

They exist now. pyproject-metadata https://github.com/FFY00/python-pyproject-metadata/blob/36e642a5a5ea0a84ddada69caf4c6f08b660ed1a/pyproject_metadata/__init__.py#L445-L452
or maybe validate-pyproject

Hello everyone.

👋

@lunar gyro what do you think we should do with the Debian / Homebrew environment paths mess?

I'm inclined to drive the venv approach over the line, but that'll happen in the coming days and not just today.

↑ No prob with that

So, until then, should we revert the Homebrew-related fix, so that things stay broken exactly as they are?

That PR using get_scheme is on the right track but I don’t know why he wants to also change the distutils code path instead of just the sysconfig one

(coz IIUC, that change breaks Debian)

Coz Debian patches both, and the isolated environments on Debian are leaky today, IIUC.

I'm not fully sure about how redistributors break things TBH, and my hope is venv based isolation will solve that for us.

But, I'm not sure what we should do now.

With the current logic.

IMO it can always wait, if you want to release you can without it

👍🏻

I'm not sure still, TBH, but happy to defer to you on this.

Alrighty, one more release made. Holler here if you see something off!

Just wondering (since the milestone in repo is empty) is there any kind of timeline for pyproject.toml-based builds would be default? I think with pip not having it as default, it makes non-pyproject based setups "encouraged" because "why change stuff, it works just fine"

Once we get rid of all the legacy install mechanisms (eg: setup.py install, setup.py develop), we'll do that.

You mean from pip source code or from community? 🤣

pip's default install mechanisms; as released.

Try pip installing a setuptools + non-pyproject.toml project without wheel in the environment.

I think setup.py install can probably go at this point; the deprecation has been shown for a while and I haven’t seen reported actually related to it. Reports claiming breakage are mostly from confused users.

It's announced for 23.1. We need to decide if we postpone or not.

I don't think we should.

I tend to agree we should not postpone.

Other question is if we need some --use-deprecated flags for some code paths. All the relevant issues are in milestone 23.1 https://github.com/pypa/pip/issues?q=is%3Aopen+is%3Aissue+milestone%3A23.1

Well, it's "nicer" to people if we have those flags but it's probably going to be a bit messy to plumb that through. Honestly, I'm happy to defer to you on whether it's worth the hassle.

To some extent adding --use-deprecated or pip install -U pip<23.1 is a comparable effort for users who'd need time to transition.

I suspect to biggest complaints will come from (dependencies on) projetcts which heavily override the setup.py install command and can't build wheels.

It depends on what setup you're in. From $work and some other institutions, it's easier to get a flag added in to internal builds than to block an upgrade org-wide.

true

OTOH, these are all cases where the actual fix is elsewhere and this is mostly just... a graceful thing to help people who might need it but will never ask for it. 🤷🏻

And, will work around it silently if they don't have it.

The main benefit from my PoV is that we give $guyOnTheInternet an actionable thing that's that's different from "do it better" or "listen to us" or "don’t upgrade".

I think the big benefit is that pins tend to last forever

but flags don't, since it'll break again in the future when pip removes it

^indeed!

Was one of the reasons for the opt-in/opt-out model!

Effectively pip moves the slowest to let organisations who move slow deal with changes, with a deadline.

Good. So I'll get back to the question of whether other maintainers feel we need --use-deprecated for setup.py install. 'cause de lazy part of me says we don't 🙂

We can discuss on each individual issue.

I am very tempted to say we don’t

+1 to that, but yea, let's move the rest of this to the issue tracker.

does anyone know the answer to this? https://github.com/pypa/setuptools/issues/3659#issuecomment-1315320204

When pip runs setup.py install, I think it's technically possible?

https://github.com/pypa/setuptools/blob/2ab03c77d7d06845c1d76ce870cbc77cfce129ba/setuptools/command/install.py#L121

I might be wrong tho.

Switching to PEP 517 builds by default means that these will automatically become stale since they only affect setup.py commands, right?

https://github.com/pypa/pip/issues/8559
https://github.com/pypa/pip/issues/11451

And I imagine this one won't be done because it will instead just fall back to the default pyproject.toml contents
https://github.com/pypa/pip/issues/8368

They're all blockers to switching over.

#8368 says:

In a future version, pip will not attempt setup.py install in that case, and fail the installation right away.

as opposed to pep 517 build

which is why I wondered

If I wanted to be rude, I'd say "read when setup.py install is run"

But more pragmatically, setup.py install is called if setup.py bdist_wheel fails.

At that point, we know that package doesn't build; so failing explicitly is a good idea.

I guess I get it, switching to legacy hook is more or less equivalent to only calling bdist_wheel and failing if that doesn't work

Yup!

the amount of downvotes suggested something worse 🙃

Well, that's because it's the URL printed when a package fails to build.

well, there are people who don't go with pyproject.toml even now, and that's by their choice to stick to the ancient ways

yeah but they don't have to provide pyproject.toml, they just need to work within an isolated build

I don’t think so. The path to the regex is only possible if setuptools is asked to install dependencies from a package index, but pip should never ask setuptools to do that (it always install dependencies itself).

Is it intended that pip should be able to install packages into a different environment? I find that python -m pip install --prefix /path/to/another/venv results in the installed package's console scripts have the sys.prefix of pip and not of the prefix that was specified in their shebang. I also seem to recall that it isn't possible to install into a prefix which is using a fundamentally different Python version / platform tags etc.
Is this expected to work? If is, I will happily distil the problem and raise an issue.

--prefix simply installs into that prefix, it does not know nor care whether that prefix is another environment

It’s not designed to install things into another environment but allowing a user to do it is “intended” in quotes

Thanks. It is a bit surprising then that --prefix is the option for install, but --path is the option for pip list. It was this difference which led me to think that there might have been some intended behaviour wrt. the --prefix flag.

As a follow-up, I remembered that there had been a discussion about having pip as a standalone app. I found it again at https://github.com/pypa/pip/issues/11243. I guess in that approach, pip is still running from the python that it should install into.

--path can be any path, not just --prefix (it also works for --home and --target)

Is pip install --prefix something that we want to be able to do correctly? As in: if you specify --prefix then the python that you are installing from is taken from prefix, and not from sys.path of pip. It could certainly get gnarly - different python versions, different platform tags, etc., but doesn't seem that far away.

Personally I think it would be better if we document what post-processing would be needed after you use --prefix. The usual use case is to provision an environment from another machine, and for that purpose this seemingly helpful “feature” would actually break things

For console_script shebang replacement I seem to recall there’s a specific issue for that (not just for --prefix but allow replacement in general)

I'm not clear what you mean precisely with "provision an environment from another machine". I'm struggling to think of a use case for which it works currently, but wouldn't work if we used the correct platform info for the environment we are creating.

Perhaps https://github.com/pypa/pip/issues/1351. That relates to installation into one directory, but informing pip that it would later be copied to another one (for RPM building).

Aha, I see that you can pip install --prefix /does/not/have/a/python/interpreter, and pip will make a prefix for you (without creating a Python bin for you). Perhaps this is what you meant?

I suspect --prefix, --target, --root, et al were a mistake tbh

Without --scheme they're also somewhat broken on environments like Debian (and possibly Homebrew?)

I mean, they won't necessarily do what you want / expect

So there are three options then, I guess:

1. Do nothing, and live with the status-quo (documenting what you need to do to post-process the result of --prefix to make it likely to work if-and-only-if your --prefix Python is the same version as your pip Python
2. Deprecate the options
3. For --prefix at least, let pip take the information from --prefix's Python, not its own

Personally, as you can imagine by the original question, I'm motivated to see #3 - it is how I would consider achieving something like https://github.com/pypa/pip/issues/11243. I'm interested because I want to be able to create a virtual environment which is pip free - my rationale being that I have virtual environments which are shared and read-only, and having pip in the environment is unnecessary / unexpected (since the environment is frozen). I don't want to preclude that environment declaring a dependency (either direct or transative) on pip, so it isn't desirable to pip install <pkg> && pip uninstall pip.

For clarity, #3 is clearly backwards incompatible. I don't think it would be hard to have a feature flag for the behaviour, but not sure it is something that you would want long-term either.

I see there is a lot of history on this topic in https://github.com/pypa/pip/issues/11307. The addition of the --python flag passed me by, since I was looking in pip install --help, but in practice it is a top-level pip --python flag. In terms of behaviour, it simply invokes pip in the given python flag, thus isn't quite what I'm looking for.

If you are looking after pip-free virtual environments, pip --python does the job, because it does not require pip to be present in the target environment. It just needs a pip version that is compatible with the target python version.

Yes, this looks promising indeed. Thanks! My option 3 would have meant that pip itself needn't be source compatible with the python that it is installing for, but that is quite an unlikely thing to be able to benefit from. The --python flag even supports installing pip (cool!) 👍

The --python flag even supports installing pip
IIRC, It does not install pip, it "injects" an existing pip into the target environment for the duration of the pip command run.

My point was:

python -m venv /tmp/venv1 --without-pip
python -m venv /tmp/venv2 
/tmp/venv2/bin/pip --python /tmp/venv1 install sphinx

Everything looks good - the shebangs in the execs are correct (unlike --prefix). You can even:

/tmp/venv2/bin/pip --python /tmp/venv1 install pip

And this installs pip correctly into venv1. 🎉

My option 3 would have meant that pip itself needn't be source compatible with the python that it is installing for,
If you want something that automatically uses a pip version compatible with the target python, I have hacked together a pip-launcher. https://github.com/sbidoul/pip-launcher (just a hack to play with the idea for now, not intended for general public use)

I'm getting push-back about including PEP-668 in Debian bookworm, without an override mechanism that a normal user can use. I'll look at preparing a PR, when I get a chance

What override?

What's the Debian cutoff date?

Something like --break-system-packages.

--wild-rodeo-please-i-wanna-break-stuff

Yeah, that's what was proposed in the PEP

That's where I got the name from.

The freeze schedule: https://release.debian.org/testing/freeze_policy.html#summary

Basically, we should get the major pieces in place by 12 Feb

Is pip a major piece? :P

Yeah, ideally I wouldn't want to change it after then, but if we have to, we can

Right, filed: https://github.com/pypa/pip/pull/11780

You might wanna edit that. :P

Reviewed, with a minor change suggestion.

Thanks!

FWIW, I'm trying to push for any/all user-facing communication to not reference PEPs and use friendly-to-human names.

Hence pyproject.toml-based builds and EXTERNALLY-MANAGED installations; rather that PEP 517 and PEP 668.

@wispy coral FYI: a test failed and I don't think we can test that in our CI setup as it stands.

I fixed that failure (and forgot to commit it with the previous change)

Unfortunately few of those existing tests pass for me, locally. So I was doing a lot of testing on CI

Oh, and you added a commit, thanks

I did, yea. 😅

Seeking comments/opinions on https://github.com/pypa/pip/issues/11690#issuecomment-1419005714 for the bugfix.

https://github.com/sarugaku/resolvelib/pull/113 🎉

I'm excited about this!

fyi https://github.com/pypa/pip/issues/11296#issuecomment-1423070897

Did they reinstall after changing metadata?

I'm guessing that's what's wrong.

Yup, that explains why they're unable to reproduce it.

nice, good call

Hi! Is this the right chat to ask questions about using pip to cross-build packages?

#cibuildwheel seems better, since it was made with that exact purpose in mind

Thank you (also it is the first time I read about it)

It seems to use containers and qemu though?

my problem at hand is that openwrt builds packages expecting setup.py and it sets all the environment variables so it works. I extended it to support setuptools_rust and maturin, but then I had stumbled upon a package using poetry and calling pip install with the same env did not produce the expected results =/

pip install mostly just calls whatever tool that is handling the build (setuptools, maturin, or poetry) and copy whatever the tool generates into correct locations, so it’s more likely this is a problem with the build tool, not pip

so I should annoy poetry devs 🙂

there isn't any additional env var that might impact pip in this regard

i have a controlled environment where i'm not allowed to install any third party dependencies. but i have a first party wheel that i'd like to install. pip install --no-deps asdf.whl mostly works great for this, except if the first party wheel happens to have dependencies that don't already exist. is there a way to get an error for that situation?

i guess i could pip check after

(that's not a perfect solution though, since i do have some other incompatibilities that pip check would complain about. maybe i just roll my own with importlib.metadata)

if you roll your own, this might be helpful to you

https://github.com/pypa/build/blob/main/src/build/_util.py

I was bored, so...

Is that an UML graph for pip?

oh that's neat!

I wrote a Python regex to railroad diagrams thing for this. 🤦🏻‍♂️

Well I spent an hour writing a script to merely reverse 36 HTML chunks so I didn't have to do that manually. 😅

sigh

You know pylint ships with tool for class diagrams, right?

This isn't a class diagram?

Nor is it a UML diagram FWIW. It's a railroad diagram generated from the regular expression for version parsing.

ah, sorry. early morning + somehow I had in my mind UML=class diagram (blame @hidden flame for mentioning UML) 🤣

that’s why we’re here. people who don’t have that tendency would have been like “easy_install” is good enough, I can hack around the limitations.

Unironically, easy_install is still recommended in the beautifulsoup4 docs 🥴

given a folder with artifacts from a package build whats the best way to pip install one of those with a set of extras

What kind are the artifacts?

wheels, sdists, mixed?

--find-links <path> can work.

mixed, got the dist folder from a previous step an want to install the package in it

Find links works. You can also have pip install path to <whl>

@shy echo does find links take precedence over pypi?

I think an explicit path works best?

with explicit paths it seems i cant use extras

You can?

@shy echo then i might have messed up a glob

A glob won't work if you add extras, because your shell will think that the extras are part of the path (so it won't be able to find any matches).

^

@fallen scroll im ware, i used some shell expansions on that before with no success

@shy echo find-links prefers pypi

im now trying pip install "$(echo -n dist/*whl)[toml,test]

Well, this looks like a gap I didn't know about. 😅

I you know the pkg name,pip install "name[toml,test] @ file://$PWD/dist/name.tgz" shoud work

Right, I think the issue is that he doesn't know the name of the sdist file already.

Though, nothing prevents you from doing it as a two step process FWIW.

Figure out the filename and do pip install $filename[foo] or so.

i now have the echo version working, will refine again later

Awesome

It's slightly odd that pip recommends running a pip install --upgrade pip that cannot succeed under EXTERNALLY-MANAGED environments

I think it should skip the new version check in those environments

It should!

https://discuss.python.org/t/error-externally-managed-environment/24237 going from the screenshot here

Thanks for flagging!

I'll make a ticket?

https://github.com/pypa/pip/issues/11820

The alternative is that it suggests --break-system-packages !

Thanks!

Yea, well, the option has a clear enough name tho!

That means one less patch for us (Debian) to carry, too 🙂

Debian already disables the update notification?

Yes. We usually do that, when packages have update notifications. Users of our stable releases are going to frequently have "out of date packages", that's just how it works. So, disabling them saves some annoyance, stops some privacy leaks, and protects some users from breaking their own systems.

Famously, sometimes it makes people unhappy, like jwz: https://bugs.debian.org/819703

Ah presumably the user that made the screenshot already ran pip install --upgrade pip

Yeah, dunno what happened there

Famously sometimes it makes people

Looks like the update notice is disabled with https://github.com/pypa/pip/blob/c20c7890729c5e14e3c56e2dd3d3737b84d1f458/src/pip/_internal/self_outdated_check.py#L146

Debian rewriting INSTALLER is a good idea overall anyway.

It's a bit unusual to get into a situation where check_externally_managed() raises but was_installed_by_pip() returns true

Because the user already broke their system packages presumably they don't care about breaking them further

So I think it might be most correct for the update notice to suggest using --break-system-packages where necessary

Did debian ship EXTERNALLY-MANAGED before pip started checking for it? So users can break their system pip then get locked out of upgrades?

I think this was a case of a user manually upgrading over the existing Debian stuff, and then having that workflow break coz their OS added the marker file and the newer version of pip respects it.

I don't think there's an easy answer for this case. :/

Maybe print the upgrade notice but don't print the upgrade command?

That's a non-actionable message tho.

Yeah there's no correct action the user can take

They need to do a reinstall

Maybe the upgrade notice should be replaced with a "you broke your system packages" notice

was_installed_by_pip never runs because debian sets disable-pip-version-check https://sources.debian.org/patches/python-pip/18.1-5/disable-pip-version-check.patch/

@wispy coral do you think it's possible that the DPKGs generated by Debian would patch the INSTALLER file in the .dist-info directory? That'll remove the need for this patch.

You'd need to swap some lines in pip too

Currently it calls get_remote_version() before was_installed_by_pip()

Yea, the thing they don't want is the upgrade prompt.

and the http call

But, yea, we should swap those lines.

It doesn't have a .dist-info only a .egg-info https://packages.debian.org/buster/all/python3-pip/filelist

LMAO

Nah, it's correct on unstable.

https://packages.debian.org/sid/all/python3-pip/filelist

I wouldn't bother changing/improving things on old Debian versions, and am happy to trust them on this front.

I seem to recall discussing the possibility of this when we were talking about PEP-668. https://peps.python.org/pep-0668/#marker-file

It looks like right now, we simply don't provide INSTALLER files at all, in most cases (but there are so many packages, that tooling varies)

It would be simple enough to add one

This isn't to indicate that we shouldn't modify things. It's to indicate that it's intended to be installed via apt

Or rather has been.

Yeah

In this context, it's that pip's upgrade prompt logic is gated on whether it's installed by itself.

TBH, just setting this in pip's build system's rules file is also good-enough.

Anyway, it's too late now to set INSTALLER for this Debian release. We can do it for the next release

Yo, no hurries.

Filed https://bugs.debian.org/1032133 to track that

Thanks!

In a virtual environment when I do the following python3 -m pip download --no-binary :all: --require-hashes --no-deps --dest /tmp/tmp0x_u81ay --requirement /home/debian/repropy/ret.txt' it says that it is Installing build dependencies ... done for each requirement. Can anyone please tell me where exactly it is installing those build dependencies? Asking as the actual virtualenv does not get those build dependencies installed.

You can increase verbosity and see the details.

FYI, this is mentioned in the --verbose description but it's easy to miss if you're like me, but verbosity has 3 levels (apart from no verbosity) which can be enabled with -v, -vv, and -vvv

IIRC, there's only 2 levels.

yeah, I think I vaguely recall that, IIRC the last level doesn't actually add anything, it's just there for future use

not sure though

You can do -vvvvvvvvvvvvvvvvvv if you want.

Doesn't change behaviours. :)

ah gotcha

Blame optparse

🙃

I was under the impression it was limited to -vvv 🤣

FWIW, I believe the direct answer is "in a temporary virtual environment that is deleted after pip is done".

This is also “helpfully” inherited by argparse

I'm having some trouble updating distributed to use pyproject.toml builds, it seems when building with boa's pip (or at least I think it's pip) is ignoring my build-system requires: https://github.com/dask/distributed/actions/runs/4366462224/jobs/7637417001#step:5:148

You don’t seem to use pip directly and this comes from conda mambabuild? I suspect they are using pip in an unsupported way. Should ask them instead.

my understanding is that pip is run directly here: https://github.com/graingert/distributed/blob/ee06f0e1fb0891e47c735ff40078f51ec53612e6/continuous_integration/recipes/distributed/meta.yaml#L18

I suspect they are using pip in an unsupported way.
yeah I got that feeling too, but I'm not sure where pip is getting called here. Asked them here https://matrix.to/#/!sAfhhwsNChQnBSbjQJ:gitter.im/$HmK-Uitk6RhElKsp4_YJ-rEFQuBFG8720XpTePnbRCs?via=gitter.im&via=matrix.org

Where? The only pip call I see is pip check and that doesn’t build anything

script: {{ PYTHON }} -m pip install . -vv --no-deps

Oh OK, took a while to find that

if I cd into the (rather unusual) prefix directory and run that command manually it works fine

I suspect the --no-build-isolation flag is somewhat set for the invocation (maybe via environ?)

does no-build-isolation ignore build-system requires?

It does, without build isolation you are implying you want to set up the environment on your own so pip stays out of the process

If you have build isolation on there should be a line Getting requirements to build wheel before Running command Preparing metadata (pyproject.toml)

ah I see

what's the env var for --no-build-isolation?

ah here it is https://github.com/mamba-org/boa/blob/cd087c5582e11125fc0a8bc855056de5b4b41ddf/boa/core/build.py#L399-L406

thanks!

putting the .whl in the source repo and doing script: {{ PYTHON }} -m pip install --no-deps ./versioneer-0.28-py3-none-any.whl && {{PYTHON}} -m pip install . -vv --no-deps && pip uninstall --yes versioneer works

that's probably not what we want though xD

Yes. I wonder this can be overridden when you actually call pip though?

Not familiar with the build tool

Hello. I'm trying to do a cross-platform test and validation of a requireements.txt by using pip. I tried this on a linux system:

python -m pip install --dry-run --ignore-installed --platform win32 --only-binary=:all: -t win32dir "psycopg2 ; sys_platform == 'win32'

But it seems that pip does not take the --platform switch into account when parsing the requirements but only to choose which binary to download. The above command leads to Ignoring psycopg2: markers 'sys_platform == "win32"' don't match your environment.
On the other hand, by removing the sys_platform specifier, pip downloads the right psycopg2-2.9.5-cp310-cp310-win32.whl package.
Should I consider that a bug or am I wrong and it's just that it was not designed for that purpose ?

There is already an open issue for this, but the problem is there’s currently no clear mapping on most of the marker values. (The platform value is more exceptional than general.) https://github.com/pypa/pip/issues/11664

Thanks for the answer, I was not aware of this issue.

https://github.com/pypa/pip/issues/11445#issuecomment-1473627324

What about it?

just a reminder that hopefully we can get it in the next release

(I'm not sure what the release schedule is)

Well, there's a tracking issue for that.

And, no one has seemingly had the time to tackle that.

From what I can tell the possibility of this getting into the next release is close to none unless a new contributor pops out from nowhere

https://github.com/pypa/pip/issues/11715

https://github.com/pypa/pip/pull/11853

friendly ping

it'd be good to have this for the next release

Merged.

whops and I just noticed a typo in the new entry 😅

dammit dyslexia

Follow up PR?

yeah

doing it rn

Thank you!

will link here for better visibility

https://github.com/pypa/pip/pull/11870

I did not mean to write a mini essay on pip's issue tracker, but the mention of mypyc caught my attention :)

A pip test is failing on MacOS with No module named 'platform'. This might be related to the latest wheel upgrade? https://github.com/pypa/pip/actions/runs/4454761013/jobs/7824164624

This seems to fail on MacOS with python 3.7 and 3.8 only.

Huh.

I'm guessing that sys.path is messed up somehow in the build environment's subprocesses? The platform module is on the standard library paths.

https://github.com/python/cpython/blob/3.7/Lib/platform.py

My guess is that the problem is here: https://github.com/pypa/packaging/blob/5b34465682d40ddd42dd6cba88e158e1674de7b9/src/packaging/tags.py#L407

All environment variables of the calling process are erased, and there's probably something critical in there that's required for Python to work.

I'd be surprised, but that's possible!

with modern pip, can i assume thatthe pip-egg-info folderx are no longer used since a while?

correct

Thanks, do you by chance have a rough idea of how long?

A couple of years probably, not very long

Ok, then I think it's gotta be fine for setuptools_scm to drop its usage as a fallback version source for when pip leaves out the scm folder

what is a pip-egg-info folder?

Something that one would find in copied build folders for certain Install types

legacy setup py install based out of tree builds

the thing in build/../project.egg-info/ ?

No, a folder literally named pip-egg-info IIRC.

this thing? https://github.com/pypa/pip/blob/8271fdb349bb519c1b8fe1e02550fd41f5208b70/src/pip/_internal/operations/build/metadata_legacy.py#L53

https://github.com/pypa/pip/commit/bf8e6bc7853f1f014e20def4f7e994ba926d8e4e

The answer to your question is since 2020, @cyan cargo

Hey so I’m not too far off

setuptools still makes a project.egg-info in the source directory though

I dropped the code for it from setuptools_scm

Eh I was sure to have worked on that but could not find it right away 🙂 Thanks @shy echo !

BTW, anyone with a mac willing to look at the failing test?

I tried, but couldn't. :/

Let's xfail it for now, and file an issue for fixing it?

It’s so difficult to look into the build process

100%

I want to switch it away from subprocess calls to in-process calls.

It’d be slightly viable if we have a mode that disables build isolation but still populates the environment

That way we could inject into the site-packages setuptools

Why is that necessary?

FWIW, my motivation is to reduce the subprocess stack that we end up having in our runs, which make attaching a debugger and diagnosing issues ~impossible.

For the other maintainers reg https://github.com/pypa/pip/issues/8559 -- in case I forget, please unlock this in ~24 hours or so.

https://www.githubstatus.com/incidents/52z0j6phhnjs

GitHub's having a quite big outage!

now resolved:

We’ve identified an infrastructure change that has been rolled back and we are monitoring recovery.

Yea, fun.

@lunar gyro @wheat pollen So... do y'all remember pyrax==1.9.8?

It's the one that Poetry's author had shared with us and it caught a bunch of issues in the resolver and it was ridiculously difficult to resolve correctly and all that...

With the current main, I got a resolution result in 26s.

13s with a primed cache.

I don't remember it, but that's awesome.

I'm excited about the backjumping change. 😅

Any schedules on 23.1 release? I hope pip-tools would have time to adapt to pip internal changes before the release.

Early April is the plan, I think.

Oh, great. I've found the issue https://github.com/pypa/pip/issues/11902

Is 23.1 switching to pep517 by default?

If you don't have setuptools or wheel installed.

In the environment.

Which is a lot of people coz venv doesn't install wheel.

You mean setuptools and wheel?

yea

Hmm probably not enough for flake8 pyproject.toml then

LMAO

I don't think the flake8 thing is going to change unless Anthony can convince himself to remove all the other configuration methods.

just use Ruff

ruff > flake8

depending on the repo size, you can run ruff over 50 times in the time it takes flake8 to run once

man is still stuck on setup.py ways anyway, he just hates TOML

and now, with ruff having most of flake8 plugins implemented, flake8 makes little sense to use

Is the ramdisk setup failing typical for pip CI? Happened twice in a row for me :/

It's not, no.

Hmm, I wonder if Github broke RAM disks again. 🙈

@shy echo also hope your truststore issue is resolved now! Was just working on getting the trustore+pip PR ready to review

I haven't tried since. The only place I really can test out truststore is on $work stuff, and I only saw that you made a ridiculously quick fix on the weekend.

And, I'd prefer to not need to open $work stuff on the weekend if I can. (been quite successful so far!)

But thank you for the quick fix! It's appreciated! ^.^

We got lucky in that David and I were both online at the right time 😉 We're both happy to see it getting used and want to unblock our early users 🚀

GitHub ramdisks? what?

https://github.com/pypa/pip/blob/295a35bd51a0c70d493e3b81ebf14c918ef10010/.github/workflows/ci.yml#L170-L171

Hi, just joined the server following a question I have asked on Stack Overflow (https://stackoverflow.com/q/75907427/21537524), and a user pointed me towards here. My question was the following, I would like to know how to clone and compile C++ code into binaries within the package during pip install? I don't know if I should paste the whole post over here or not, don't want to feel like invading in any way

https://github.com/pypa/setuptools/issues/2591#issuecomment-791628028 might be what you want.

This is not really a pip question though, but a question about build backends.

OP posted on https://discuss.python.org/t/how-to-clone-and-compile-c-code-into-binaries-within-the-package-during-pip-install/25394?u=pradyunsg as well. Let's leave the rest of the discussion there

@jovial jasper Are you around on Discord?

We can chat about https://github.com/pypa/pip/issues/11715 here, if that's easier.

Hi @shy echo I see your last posts. Indeed patching packaging is not a good idea. Especially since it emits spurious warnings about LegacyVersions when normalizing for comparison or something.

I'm honestly not sure how difficult the suggestions I've made are TBH!

Not sure either. There are quite a few places where packaging.version.parse is used. All these spots need some work if we want to warn with relevant context.

I've not looked at detecting LegacySpecifiers from pip-land.

All in all, that looks like too much for me to do in time for 23.1.

No worries. I'll be spending some cycles on this in the next couple of days.

is there a way to download and have --find-links take precedence? currently pip download -f dist --no-cache-dir pkg_name will always download unless I force the built version to be different in which case nothing will be found and the link directory is finally utilized

(I understand this may be a fringe use case since we're trying to download something that already exists in a directory)

I feel like there may be some magic command line incantation but I can't figure it out

No

Urgh, why is RAMDisk failing so often lately in CI. Something seems off.

how much is the CI time impacted without that?

One of us should file an issue in actions/virtual-environments.

It was substantial, but that was quite a while ago and both pip as well as our test suite are theoretically faster now.

Has anyone looked into using SeparateBodyFileCache for pip's downloads? I was wondering why it seemed to take a second for pip to find cached wheels, and I discovered that it currently (indirectly, through cachecontrol) loads the entire cached file into memory before using it.

I don't think so, not yet.

PDM also suffers from this: https://github.com/pdm-project/pdm/pull/1498
It is blocked by the upstream cachecontrol project. Does anyone know the maintainer here?
It makes the cache not working on, for example, pytorch private index.

Would it be possible to upload some metadata alongside the pip zipapp? e.g. if I were to cache the zipapp I wouldn't want to redownload it unless the version's changed

Technically, yes. The piece missing is someone deciding how we want the folder structure to look like for the zipapp.

FWIW, regular content caching should be set up on that, no?

You mean by doing a head request and checking the etag for instance? Yeah, I suppose that'd probably be sufficient, unless we wanted to know what the actual version of pip in the zipapp is

(also, I just found out about https://xclacksoverhead.org/home/index by doing that)

I can't trick/force the dependency resolver into thinking one package is another right

foo depends on bar, for some strange reason the developers of bar release their prereleases to bar-dev

No.

But that doesn't help for installing foo, as I can't simply install foo and bar-dev

Or, at least not at the moment.

K, figured I'd have seen it at this point if so. Thanks

That’s one thing I’ve been thinking we should do. There’s already spec for this (Provides-Dist), we just need an implementation

And a story for how that works in a world with uncurated repositories.

The last time that this came up, the social part was the blocking concern IIRC.

Meaning what sorry

(the uncurated bit)

Ah as in you don't want some random malware package claiming it provides django or whatever?

Yea.

Is there any extra danger there than said malware package being installed itself? (I assume you're about to explain that to me 🙂

And, also less malicious code but unfriendly ones, eg flask claiming it provides django, and deciding on what the story needs to be (is it that we don't care about giving tools to deal with this, or is it that we do care?)

Right ok. Or I guess you exclude it from anything but user-facing tools

Not sure what you mean by that.

(I'm not familiar with how Provides-Dist works so I could be saying nonense as usual). But what I mean is such that a user can say "when something says it wants foo I want foo provided by bar", but a package baz cannot say "I need foo and the foo I want is bar"

(So exclude the functionality from dependencies, but allow frontends to do it or whatever)

And if you install bar as part of installing baz (because it directly depends on it) you forget the fact that it claims to provide foo. OK I'm gonna stop talking since it seems like these are not so insightful ideas 😄 so probably if this is reasonable someone who thinks about it mor ethan my 3 seconds will come up with better ones

I do have some ideas around it, not very structured but I think should work with some polish (which is the bulk of the work of course)

I think Provides-Dist is fine as long as you don't take it into account unless you've already decided to install the thing providing it

can someone please point me to the code that creates Windows executables for CLI entry points?

The executables are pre-built and vendored in pip etc. They are built here: https://bitbucket.org/vinay.sajip/simple_launcher/

thank you