(You can set a bookmark with a reminder.)
1 Like
OK. My notes on the PEP and on the proposed wording of the packaging spec.
- You say you donāt want to get sucked into
REQUESTED, and I agree. But the current wording feels like it implies more than you want to. Iād suggest adding a note at the top of the section on the REQUESTED file saying something like āInstallers are not required to maintainREQUESTED, and so consumers must not assume that the lack of aREQUESTEDfile means anything in practice.ā (Or you can take the same view as PEP 376, that tools will maintain this data - in which case you need to amend the comment that āAlmost all information is optionalā to reflect thatREQUESTEDdata is not optional). - I donāt see much discussion of the removal of the requirement for hashes/sizes to be present. I get your argument that no tools currently use that information, but once we remove the requirement for it, itās going to be more or less impossible to re-introduce it. Which means future tools wonāt be able to say things like ārefusing to uninstall FOO as local changes have been madeā. Is there any concrete reason for relaxing this requirement? (I donāt buy āsimplifies the specā and I donāt see the issue with expecting shebang rewriters to update the hash -
RECORDexplicitly doesnāt need a hash to make that process straightforward). - Iād like to see an explicit statement that tools which rely on Pythonās package databaseĀ¹ MUST refuse to uninstall projects that have no RECORD. See point (5) below, as well. (Tools like system package managers that rely on other data can do what they want - thereās no particular need to make this point, though).
- If
INSTALLERis intended for use in messages, the content should be usable in that context - so Iād suggest that the spec should say something like āthe file must contain a single line containing the name of the installer - for example āpipā or ācondaā or āMega-Corp Super Installerāā. - Question - if an installer omits RECORD, should it be required to write INSTALLER, so the user at least knows who to blame for the package that ānormalā tools canāt uninstall? (That can be a future revision, Iām not going to block acceptance on it, but I think itās a reasonable requirement).
Overall, though, this looks pretty good. No-one has raised any fundamental issues, so it looks like we have a reasonable consensus. If you can address the above points, Iām OK with accepting the PEP.
Ā¹ A minor cosmetic problem with this rewrite is thereās no longer a good noun phrase for āthe database of installed packagesā 
Yes, but then I have to choose when to be reminded. What I want is for the message to remain in my list of unread (and therefore āfor my attentionā) messages until I deal with it.
Another thing that sucks is that you can only have one reply āon the goā at any one time 
1 Like
Very much no. That would require installers to be able to write future-proof uninstall commands that work with all operating systems they support. Iām pretty sure weād end up with all sorts of broken corner cases if we tried to do this.
2 Likes
(I think I somehow managed to configure my account so that all this is feasible from my email client. ā Wanted to answer as private message, as to not pollute this topic, but it wonāt let me. I will stop here.)
Are you sure about this? This definely didnāt used to be the case, and some quick searching of the code I donāt see any checks done by pip. Conceptually speaking pip should not be locked to only uninstall things installed by pip, it should be barred from uninstalling things whom the source of truth is not the Python metadata.
1 Like
Iāll update.
Iād like to take the same view as PEP 376 (even though I donāt agree with it). That means the REQUESTED file is optional, but handling it is mandatory ā leaving it out must me a conscious choice.
Here Iām actually trying to keep the status quo. PEP 376 says āThe hash is either the empty string or [the data]ā. It also gives some examples and notes about when the hash and file size are left out ā specifically, .pyc, .pyo and RECORD are mentioned.
For the file size, it just says āthe fileās size in bytesā, but later examples/notes contradict that by leaving it out, so I read that as a shorthand for āeither the empty string, or fileās size in bytes, as a base 10 integer.ā
I believe thatās a valid interpretation, given how non-rigorous PEP 376 is generally. But I worded my PEP so that it works even for those who PEP 376 it as āfile size is mandatoryā.
I donāt want to get bogged down in specifying which files can have the details left out.
I believe individual tools can make good choices, and itās in their interest of serving users to allow messages like ārefusing to uninstall FOO as local changes have been madeā where possible.
But anyway, the proposed spec does say:
For other files, leaving the information out is not recommended, as it prevents verifying the integrity of the installed project.
OK, Iāll add that.
The proposed spec already says If present, INSTALLER is a single-line text file naming the tool used to install the project..
I didnāt say it this way in the PEP, since the āsingle-lineā and ācontains name of installerā requirements arenāt changed from PEP 627. Do you think itās necessary?
Uninstallers will need to handle missing INSTALLER anyway ā itās better if the spec acknowledges that the file can be missing.
For installers, again I think itās fine to rely on the tool to do whatās best for the users. Who knows what reasons to leave INSTALLER out might come up. IMO a spec should ensure interoperability, not good tools :ā)
Drat, I looked at this message and now I canāt āmark it as unreadā. Iāve bookmarked it for tomorrow, but Iāve no idea if alerts go anywhere Iāll notice. If I havenāt responded to this by Monday, ping me as it means Iāve forgotten.
(This is one place Discourse really sucks IMO).
1 Like
OK!
I took the opportunity to sneak in some edits into my earlier post. I also updated the PEP and spec proposal.
I found the comment āIf the installer is executable from the command line, INSTALLER
should contain the command nameā unclear, as I originally thought it allowed for tools to insert a full command line in there. But on reflection, thatās not true, and I think this is fine.
I think the rewording is worse, as itās no longer backward compatible. As worded. installers must write a REQUESTED file if thereās any chance that the user requested the install. But that would imply that consumers are allowed to assume that the lack of a REQUESTED file guarantees that the install wasnāt user-requested - which isnāt true, because existing installs donāt reliably add REQUESTED.
I think that like it or not, we need to acknowledge existing reality, which means that the presence of REQUESTED has to mean āthe installer is sure that the user requested this installā and consumers can rely on that, leaving "no REQUESTED file as meaning ānot user requested, or weāre not sure, or the installer didnāt record that informationā. Yes, that makes the data mostly useless, but we donāt have any good use cases for needing it anyway, so I think thatās acceptable.
Apart from the one issue around REQUESTED, and a typo that I noted against the PEP commit, I think this is OK now.
The intention was to give REQUESTED some useful semantics, with the caveat that tools donāt follow them, so the data is unreliable until the ecosystem catches up.
But, itās becoming clear that I canāt really salvage REQUESTED. I too canāt see any use case where it can work reliably today. So, Iād rather remove it from the spec altogether, which would mean REQUESTED becomes a tool-specific file that pip adds for its own use.
A different solution, which could encode all three values of yes/no/donāt know, can be standardized later.
Would that work?
I think itās clear at this point that thereās a question over REQUESTED. Letās get some feedback from others. Once we have some sort of consensus, you can update the PEP.
See https://github.com/pypa/pip/issues/7811 for the issue where adding REQUESTED to pip was discussed. That issue also notes that flit implements REQUESTED as well. But I donāt know of any code that uses REQUESTED, just tools that write itā¦ I think the only reason it got added to pip was because it was in the standardā¦ Maybe @sbidoul has a view here?
On a personal note, Iāve never seen an implementation of the sort of semantics that REQUESTED is trying to capture that worked. So frankly, Iād rather see it removed altogether. Itās one of those things where, if itās in the standards, tools must implement it (or risk devaluing the standard, as happened with PEP 376). But if there are no consumers of the data, implementing it is pointless.
Iām definitely -1 on having it remain in pip (and flit) if itās removed from the specification.
My vision is to have REQUESTED behave similarly as what can be done with apt-mark auto/manual in debian. In my mind this is a prerequisite for automatic removal scenarios.
Mid term, I see REQUESTED evolving to hold a version specifier so if the user installed āfoo<3.0ā, the pip resolver could use that information to keep the dependencies in the requested state when installing additional packages. (I think thatās how I responded to the upgrade strategies survey)
When working with disposable virtualenvs or with virtualenvs managed via a lockfile/requirements.txt this is not very useful I agree. When managing the --user environment however, having that feature similar to what linux package managers have sounds useful to me.
Iām not aware of any tool that make use of it today, but the REQUESTED spec makes sense to me and I figured implementing it in pip was a useful enablement first step.
I understand the discussion here mostly revolves around a transition when some tools implement it and other not? In that respect I would be strict in the spec: āinstallers MUST create REQUESTED for packages that it knows are user supplied, as opposed to dependenciesā. The transition period could be managed by asking confirmation to the user when auto-removing packages.
1 Like
That means the current spec ā neither PEP 376 nor my current proposal (permalink to current state) ā is adequate for the mid term. So this will need an update to the spec, and we lose nothing by not leaving REQUESTED out of the spec right now.
Unfortunately, there is no distinction between āthe file was installed automaticallyā and āthe file was installed with an older version of pipā. So, the information is pretty useless to consumers that would like to uninstall unneeded projects.
If you can design a spec that can express all three values, yes/no/donāt know, the transition will be much easier to manage.
So there are two possibilities?
- remove REQUESTED from the pep and specification and develop a new standard
- keep REQUESTED with a MUST language for installers, and mention that tools must ask user confirmation before taking destructive action based on the absence of REQUESTED, since itās absence may mean installers do not implement it correctly
It may be better to leave it out of the spec until fully implemented. Perhaps such specs could have a short section pointing to elements of the PEPs that have not been translated to specs by lack of sufficient implementation feedback (as opposed to PEP elements that have been abandoned)?
Short-term, any tool in its right mind will want to be compatible with pip, which now writes REQUESTED. And the PEP explicitly allows tool-specific files. So, strictly speaking I donāt think need any extra text in the spec. But I did add a note.
Iāve also updated the PEP so we have concrete text to discuss.
Pip is now free to experiment. Hopefully we get an update that standardizes an existing, proven implementation. Which answers:
Flit, sure. But I think pip should be free to drive this feature and then standardize it (probably as an optional extension which would take care of the backcompat troubles).
Iām speaking personally, not as PEP delegate here, but Iām not particularly interested in pip being the innovator over this. Iād personally argue that we remove it from pip until someone comes up with a usable spec for a replacement feature that can be standardised and addresses backward compatibility issues. An obvious approach would be to have a mandatory USER_REQUESTED file (we canāt use REQUESTED, as thatās been taken by PEP 376 ) that contained the values āyesā or ānoā, with a missing file meaning āinstalled by a tool that doesnāt respect this standardā.
I would expect @sbidoul to argue with me, though, and honestly I donāt care enough to block him working on this.
Nope, Iām not gonna argue 
If people think the backward compatibility issues are going to be a show stopper for REQUESTED, feel free to dump it.
1 Like
Is there anything more the PEP needs?
If you feel the REQUESTED issue has been addressed, let me know and Iāll take another look.