Support bootstrap installations with pip install --user about pipx HOT 8 CLOSED

FYI pipx-app is currently available in Debian testing as "python-pipx" https://packages.debian.org/source/buster/python-pipx 🎉

from pipx.

I've also uploaded an AUR package for archlinux + friends
https://aur.archlinux.org/packages/python-pipx/

So who is going to make the RPM? :P :D

from pipx.

A new package called pipx-bootstrap has been published to PyPI and installation instructions in pipx have been updated.

https://github.com/cs01/pipx-bootstrap
https://pypi.org/project/pipx-bootstrap/

from pipx.

The following method kind of works...

pip install --user pipx-app
pipx list # empty list
pipx install pipx-app # complains that symlink is not installed
pipx list # pipx is now listed

...but /home/user/.local/bin/pipx is not a symlink to /home/user/.local/pipx/venvs/pipx-app/bin/pipx

Would the follow steps suffice:

pip uninstall pipx
ln -s $HOME/.local/pipx/venvs/pipx-app/bin/pipx $HOME/.local/bin/pipx

Which would mean a bootstrap installation could be performed with pip as follows:

pip install --user pipx-app
pipx install pipx-app
pip uninstall pipx-app
ln -s $HOME/.local/pipx/venvs/pipx-app/bin/pipx $HOME/.local/bin/pipx

Does this sound right?

from pipx.

I only install non-distro packages with installers I trust, so that I reduce the risk of running malicious code.

When pip installs a non-wheel package (which unfortunately still exist) it runs setup.py which is quite literally arbitrary python code that usually happens to follow the convention of importing setuptools and running setuptools.setup(). Not only that, even for the case of wheels which don't run setup.py there is no guarantee the code you download from PyPI is the same code the project claims is on github, so you'd have to download each wheel (and its dependencies!), unzip it, then diff its source code to the github source to be sure you're running what you think you are. Contrasted to being able to directly inspect the code being run by curl, it's actually easier to verify you're using the right code with the curl method.

Other projects including poetry, pipenv, pipsi, and even pip itself have a get-*.py installer script that you need to curl.

Regardless, I do agree with you that being able to install pipx using only pip seems like a nicer installation method and I love how creative you got with figuring out a way to do this!

/home/user/.local/bin/pipx is not a symlink to /home/user/.local/pipx/venvs/pipx-app/bin/pipx

I'm not sure why this would be the case. It worked for me. But the general approach of installing pipx-app from pipx is great and makes sense.

Here is a working method to do this now in the short term.

python3 -m venv venv
source venv/bin/activate
python -m pip install -U pip
python -m pip install pipx-app   # installs pipx-app to venv/lib/python/site-packages/
pipx install pipx-app  # installs pipx-app to ~/.local/pipx/venvs/pipx-app/
deactivate
rm -r venv
echo -e '\nexport PATH="$HOME/.local/bin:$PATH"\n' >> ~/.bashrc  # assuming you are using bash

Long term I'd like a way to automate the PATH modification, maybe with a separate installer package like you said, or maybe adding a new entrypoint to pipx-app such as pipx-ensurepath (which would replace the echo command) or just pipx-bootstrap like you said but as part of pipx-app.

from pipx.

Thanks for the recipe! I'll close the ticket as soon as I've had a chance to test it. I'll leave the ticket open since you've said a solution is on your roadmap.

I concur with your security assessment (1, 2, 3) but I'm more hopeful of a single/centralised PyPI solution (4, 5) than manual review of individual downloads. That said, as you've pointed out, arbitrary code is arbitrary code! Let the downloader beware!

IMHO you shouldn't take responsibility for adding ~/.local/bin to $PATH because it's insanely non-trivial for bash and it should be there already. Instructions in the README should suffice, and when pipx-app is packaged by distros (one day!) they will take responsibility for it.

from pipx.

IMHO you shouldn't take responsibility for adding ~/.local/bin to $PATH because it's insanely non-trivial for bash and it should be there already. Instructions in the README should suffice, and when pipx-app is packaged by distros (one day!) they will take responsibility for it.

Yeah it is a little tricky and probably impossible to get it right everywhere. get-pipx.py, get-pipsi.py and get-poetry.py all do this (though admittedly I wrote the first two). I assume it's doing okay because nobody is complaining, and if it fails it prints manual instructions. I took a chance with it after I saw Rust doing it.

https://www.rust-lang.org/en-US/install.html

Accordingly, it is customary for Rust developers to include this directory in their PATH environment variable. During installation rustup will attempt to configure the PATH. Because of differences between platforms, command shells, and bugs in rustup, the modifications to PATH may not take effect until the console is restarted, or the user is logged out, or it may not succeed at all. If, after installation, running rustc --version in the console fails, this is the most likely reason.

from pipx.

Awesome, thank you!

from pipx.