Paul Moore

So with #12107, the vendoring can be ripped out of this PR, leaving it being just the implementation of the transition process for making truststore the default, correct? That seems...

> Can we assume that sign has well and truly come? Yes, I think we can see `config_settings` getting used now. Not that it makes much difference here - I...

I would be happy to remove the filter, on the basis that anyone devendoring should be reviewing our patches and making arrangements to cover whatever fixes they make. But I'll...

> I think the solutions to these should be subtly different. I think having (potentially) two subtly different approaches to handle two subtly different problems is not a particularly good...

> I wonder what's the goal of constraints then if they can be overwritten implicitly My problem with this whole discussion is similar - what's the point of constraints if...

In general, I tend to agree with @notatallshaw's statement, in the comment linked above: > That said I think user built templating solutions are a reasonable solution to this problem....

I'm going to push back on this because you (or more accurately the `importlib.metadata` docs) haven't explained *why* our implementation isn't acceptable. It may well be that we could do...

> Does that clarify? Would you like to see more explanation in the Extending docs as well? An explicit note in the narrative text about `DatabaseDistribution` would be helpful, that...

It would be nice to have a test for this - but I note that #8603 didn't include a test, so I'm inclined to accept this without a test and...

Following the chain of calls leads to `os.path.realpath(tempfile.mkdtemp(prefix=f"pip-{kind}-"))`. Can you confirm what that call returns in your environment? (Clearly you can just use any old prefix for the call). If...