cpython icon indicating copy to clipboard operation
cpython copied to clipboard

Published 20 hours ago verified publisher icon python

gh-98331: Update bundled pip to 22.3

Open pfmoore opened this issue 1 year ago • 2 comments

  • Issue: gh-98331

pfmoore avatar Oct 16 '22 15:10 pfmoore

@pablogsal It would be good if this could be included in the Python 3.11 final release, although I appreciate it's very late notice.

I should note that the new version of pip was just released this weekend, and if there are issues we could need to follow up with a bugfix release. While I hope there won't be any issues (there are no major changes in this release) obviously I can't guarantee that. I would be pushing hard for any such bugfix release to happen before next weekend, if one were needed. I don't know whether this possibility would affect your decision about including this patch (and/or any possible bugfix release) in 3.11 final, but I thought I should make you aware 🙂

I'll set up a backport to 3.11, for inclusion in 3.11.1, regardless.

pfmoore avatar Oct 16 '22 15:10 pfmoore

Thanks for checking with me! 👍

One thing that would help me evaluate the risk better is if you could walk me through what improvements or bugfixes are important to get into 11.0.0. Is there any security fix or similar?

pablogsal avatar Oct 16 '22 15:10 pablogsal

There's no major changes in 22.3 that are critical. The main reason for bundling the latest version is to allow users to not have to upgrade pip immediately on installing Python or creating a venv. So it's mostly a "quality of life" improvement, in that sense. Having the bundled pip be out of date is far from unusual, but it feels off to release a new version of pip and then immediately release a Python version that has an out of date pip[^1].

The only security-related change is that this version of pip bundles the latest certifi, so the certificates we use are more up to date. That's arguably important, but I wouldn't over-emphasise it (after all, we don't rush pip releases every time certifi adds new certificates, so it'd be hypocritical for me to try to claim it's crucial here...)

[^1]: We are talking about trying to bring pip's release cycle better into line with Python's, but we didn't manage to make the change for this release.

pfmoore avatar Oct 16 '22 16:10 pfmoore

One other question, just to make sure I don't mess anything up - if I merge this and then trigger a backport to 3.11, that will go onto the 3.11 branch ready for 3.11.1, won't it - it won't affect the release branch?

pfmoore avatar Oct 16 '22 17:10 pfmoore

I went ahead and approved it, but you should also wait for @pablogsal 's approval.

warsaw avatar Oct 16 '22 18:10 warsaw

@pablogsal A gentle reminder - am I OK to merge and backport this for 3.12/3.11.1 etc?

pfmoore avatar Oct 18 '22 11:10 pfmoore

@pablogsal A gentle reminder - am I OK to merge and backport this for 3.12/3.11.1 etc?

Apologies for the delay!

Yeah, doing the backport is ok. I am still thinking about including it in 3.11.0, but I think it makes sense.

pablogsal avatar Oct 18 '22 13:10 pablogsal

Thanks @pfmoore for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10. 🐍🍒⛏🤖

miss-islington avatar Oct 18 '22 14:10 miss-islington

Thanks @pfmoore for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11. 🐍🍒⛏🤖

miss-islington avatar Oct 18 '22 14:10 miss-islington

GH-98399 is a backport of this pull request to the 3.10 branch.

bedevere-bot avatar Oct 18 '22 14:10 bedevere-bot

GH-98400 is a backport of this pull request to the 3.11 branch.

bedevere-bot avatar Oct 18 '22 14:10 bedevere-bot

I am still thinking about including it in 3.11.0, but I think it makes sense.

FWIW, we haven't had any major issues reported, so I'm (cautiously!) optimistic that we won't need a 22.3.1 bugfix release.

pfmoore avatar Oct 18 '22 15:10 pfmoore