Hi, I’m a developer for the Spack package manager. Spack is a general-purpose package manager, similar to Conda in the sense that it can build both Python and non-Python libraries. In the past, our Python library installation procedure was basically:
$ python setup.py build $ python setup.py install --root=...
This made it easy to install libraries like setuptools/wheel/pip without having to rely on an existing pip installation. However, we were recently informed that direct invocation of
setup.py is now deprecated.
In order to convert our Python build system to use pip instead, we first need to figure out how to bootstrap pip. I’ve read through pip’s installation instructions, but I don’t see a way to specify which version of pip gets installed with either
Spack is designed for air-gapped systems without internet access, so we need to be able to download the appropriate source code ahead of time. We also need a stable checksum for any downloads. When looking at
get-pip.py, I don’t see a version-specific URL, so I assume the checksum of this download changes after every new release?
TL;DR: what’s the recommended way to bootstrap pip if I need a specific version (reproducibility) and a stable download checksum (security)?