On 8 June 2017 at 17:40, Steve Dower <steve.do...@python.org> wrote: > I'm just going to straight up admit that I've lost track of the point of > this thread.
You have my sympathies - I'm not really following it either :-( > It sounds like we don't *need* to backport any of ssl into the Python 2.7 > standard library, as long as we can bundle a 3rd-party backport for pip? My understanding is that the PEP is asking to backport a new feature. The problem is that as a new feature, this received some (justifiable) pushback. The arguments for why this new feature is needed then got messy - as I understand it, it's something to do with how the requests library moves forward - they are blocked from supporting newer async features from 3.x because they need to support 2.7. This feature would relieve that logjam for them. Obviously, as a 3rd party library, their issues aren't particularly compelling for the stdlib - but because pip uses requests, and pip is shipped with Python, things get complicated. > I assume that, at a high level, the operation needed is to download content > over https using the system trust stores. Is that what we're trying to > achieve here? > > If it is, can we just provide an enhanced urlretrieve()? Certainly on > Windows, and presumably on macOS, it's much easier to do the high-level GET > operation than to reimplement it using primitives. The problem is that pip uses more features of requests than just issuing GET requests. We aren't going to be in a position to switch to a simple urlretrieve operation, even as some sort of fallback. What I'm personally not at all clear on is why we can't just ship a version of pip that supports 2.7 with 2.7, and a later version with 3.x. That doesn't make the problem for pip and requests any easier, but it does make it not python-dev's problem. The issue is that the gulf between 2.7 and 3.x is getting wider, and it's starting to cause real pain to 3rd party projects like requests. Does that justify backporting this specific feature to 2.7? I don't know. Note that I haven't actually read the original PEP. I don't have a view on networking issues, security, or Python 2.7 support. So I didn't really feel the need to more than skim this thread. My only interest really is where pip gets involved - and that's where I get confused as I don't really see why (ensure)pip makes the problem so much more complicated. Paul PS I'd be amazed if my summary above isn't wrong in at least some key points. Corrections welcome! _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
