Protect pip and Setuptools about passa HOT 4 CLOSED

I always thought this was dumb, we should let people screw things up if they want

from passa.

One thing to consider (I think) is a package might be screwing the user. Say a package want to make sure it’s installed by pip 10.0 or later. A package maintainer without understanding well about Python packaging (gotta admit it’s difficult to do), (s)he might list pip>=10.0 in installs_require. This would mean that the user would have pip==18.0 in the lock file, and wouldn’t be able to upgrade to later pip until the lock file is regenerated. But that’s a thing I’d want to avoid. (This is unfortunately a quite common problem in Python packaging; even big-name packages such as pytest tend to list setuptools in installs_require instead of setup_requires and PEP 518, because that has the best compatibility with old versions of pip.)

If the goal is to allow user to screw things up, maybe the best approach is to drop setuptools and pip requirements, unless they are listed in Pipfile. This would be straightforward to do (I think)—just exclude them from the return value of get_dependencies. Requirements listed in Pipfile don’t go through that function, so they won’t be excluded, but other requirements do go through there, and will be prevented from messing with the user.

from passa.

FYI we may want to protect wheel also

from passa.

I don’t think wheel is strictly required to install packages; pip currently falls back to setup.py install if wheel is missing (and when build isolation is disabled). I want to keep the protected set as small as possible; we can always amend it if we need to, but if we protect it now, we may never be able to remove it in the future.

from passa.