See here. Was there a particular reason you didn’t add a link to that discussion and in particular that comment, into the PEP and the announcement? Or was it simply that you’d forgotten? Maybe you’re close enough to the problem that it all seems obvious to you, but as an outsider, I would appreciate the background and implications being spelled out explicitly in the PEP.
My reading, specifically, is:
- The
pip-auditproject uses this data to do its job. At the moment it uses the JSON API. - The
pip-auditproject has aspirations to become apipsubcommand. - To be a pip subcommand, one of the assumed preconditions is that standardised interfaces should be used, so vulnerability data needs to be made available via such an interface.
- Pip uses the simple API as its fundamental access to the index, so with this background, having the vulnerability data available via the simple API would make integration into pip simpler.
All of which is good, if you accept the various assumptions and goals, but shouldn’t be left to the reader to infer.
I’d also like to note that “vulnerability data is available via a standardised interface” is a pretty minor part of the hurdles involved in integrating pip-audit into pip, so point (3) is a rather weak argument here.
I’m still -1 on this, but that’s hardly surprising as I was never a particular fan of the idea of a pip audit command. As you say, we’re going over old ground though, so I encourage readers to read the linked discussion, rather than me repeating the same points here.