“Like wheels, but instead of a pre-built python package, it’s a pre-built python interpreter”
End goal: Pypi.org has pre-built packages for all Python versions on all popular platforms, so automated tools can easily grab any of them and set it up. It becomes quick and easy to try Python prereleases, pin Python versions in CI, make a temporary environment to reproduce a bug report that only happens on a specific Python point release, etc.
First step (this PEP): define a standard packaging file format to hold pre-built Python interpreters, that reuses existing Python packaging standards as much as possible.
Example pybi builds are available at pybi.vorpus.org. They’re zip files, so you can unpack them and poke around inside if you want to get a feel for how they’re laid out.
You can also look at the tooling I used to create them.
Filename: {distribution}-{version}[-{build tag}]-{platform tag}.pybi
This matches the wheel file format defined in PEP 427, except dropping the {python tag} and {abi tag} and changing the extension from .whl → .pybi.
For example:
Just like for wheels, if a pybi supports multiple platforms, you can separate them by dots to make a “compressed tag set”:
(Though in practice this probably won’t be used much, e.g. the above filename is more idiomatically written as cpython-3.9.5-macosx_11_0_universal2.pybi.)
A .pybi file is a zip file, that can be unpacked directly into an arbitrary location and then used as a self-contained Python environment. There’s no .data directory or install scheme keys, because the Python environment knows which install scheme it’s using, so it can just put things in the right places to start with.
The “arbitrary location” part is important: the pybi can’t contain any hardcoded absolute paths. In particular, any preinstalled scripts MUST NOT embed absolute paths in their shebang lines.
Similar to wheels’ <package>-<version>.dist-info directory, the pybi archive must contain a top-level directory named pybi-info/. (Rationale: calling it pybi-info instead dist-info makes sure that tools don’t get confused about which kind of metadata they’re looking at; leaving off the {name}-{version} part is fine because only one pybi can be installed into a given directory.) The pybi-info/ directory contains at least the following files:
And also there are some new, required keys described below.
Here’s an example of the new METADATA fields, before we give the full details:
Specification:
platform_release has similar issues.
Rationale: In many cases, this should allow a resolver running on Linux to compute package pins for a Python environment on Windows, or vice-versa, so long as the resolver has access to the target platform’s .pybi file. (Note that Requires-Python constraints can be checked by using the python_full_version value.) While we have to leave out a few keys sometimes, they’re either fairly useless (platform_version, platform_release) or can be reconstructed by the resolver (platform_machine).
The markers are also just generally useful information to have accessible. For example, if you have a pypy3-7.3.2 pybi, and you want to know what version of the Python language that supports, then that’s recorded in the python_version marker.
(Note: we may want to deprecate/remove platform_version and platform_release? They’re problematic and I can’t figure out any cases where they’re useful. But that’s out of scope of this particular PEP.)
These paths MUST be written in Unix format, using forward slashes as a separator, not backslashes.
It must be possible to invoke the Python interpreter by running {paths["scripts"]}/python. If there are alternative interpreter entry points (e.g. pythonw for Windows GUI apps), then they should also be in that directory under their conventional names, with no version number attached. (You can also have a python3.11 symlink if you want; there’s no rule against that. It’s just that python has to exist and work.)
Rationale: Pybi-Paths and Pybi-Wheel-Tags (see below) are together enough to let an installer choose wheels and install them into an unpacked pybi environment, without invoking Python. Besides, we need to write down the interpreter location somewhere, so it’s two birds with one stone.
Discussion: It would be nice™ if installers could compute a pybi’s corresponding wheel tags ahead of time, so that they could install wheels into the unpacked pybi without needing to actually invoke the python interpreter to query its tags – both for efficiency and to allow for more exotic use cases like setting up a Windows environment from a Linux host.
But unfortunately, it’s impossible to compute the full set of platform tags supported by a Python installation ahead of time, because they can depend on the final system:
In these two cases, an installation tool can still work out the appropriate set of wheel tags by computing the local platform tags, taking the wheel tag templates from Pybi-Wheel-Tag, and swapping in the actual supported platforms in place of the magic PLATFORM string.
However, there are other cases that are even more complicated:
To handle this, the installer needs to somehow understand that a manylinux_2_12_x86_64 pybi can use a manylinux_2_17_x86_64 wheel as long as those are both valid tags on the current machine, but a win32 pybi can’t use a win_amd64 wheel, even if those are both valid tags on the current machine.
So actually using Pybi-Wheel-Tag values is less trivial than it might seem, and they’re probably only useful with fairly sophisticated tooling. But, smart pybi installers will already have to understand a lot of these platform compatibility issues in order to select a working pybi, and for the cross-platform pinning/environment building case, users can potentially provide whatever information is needed to disambiguate exactly what platform they’re targeting. So, it’s still useful enough to include in the PyBI metadata – tools that don’t find it useful can simply ignore it.
You can probably generate these metadata values by running this script on the built interpreter:
This emits a JSON dict on stdout with separate entries for each set of pybi-specific tags.
Currently, symlinks are used by default in all Unix Python installs (e.g., bin/python3 -> bin/python3.9). And furthermore, symlinks are required to store macOS framework builds in .pybi files. So, unlike wheel files, we absolutely have to support symlinks in .pybi files for them to be useful at all.
The de-facto standard for representing symlinks in zip files is the Info-Zip symlink extension, which works as follows:
So if using Python’s zipfile module, you can check whether a ZipInfo represents a symlink by doing:
Or if using Rust’s zip crate, the equivalent check is:
If you’re on Unix, your zip and unzip commands probably understands this format already.
Normally, a RECORD file lists each file + its hash + its length:
For symlinks, we instead write:
That is: we use a special “hash function” called symlink, and then store the actual symlink target as the “hash value”. And the length is left empty.
Rationale: we’re already committed to the RECORD file containing a redundant check on everything in the main archive, so for symlinks we at least need to store some kind of hash, plus some kind of flag to indicate that this is a symlink. Given that symlink target strings are roughly the same size as a hash, we might as well store them directly. This also makes the symlink information easier to access for tools that don’t understand the Info-Zip symlink extension, and makes it possible to losslessly unpack and repack a Unix pybi on a Windows system, which someone might find handy at some point.
When a pybi creator stores a symlink, they MUST use both of the mechanisms defined above: storing it in the zip archive directly using the Info-Zip representation, and also recording it in the RECORD file.
Pybi consumers SHOULD validate that the symlinks in the archive and RECORD file are consistent with each other.
We also considered using only the RECORD file to store symlinks, but then the vanilla unzip tool wouldn’t be able to unpack them, and that would make it hard to install a pybi from a shell script.
Symlinks enable a lot of potential messiness. To keep things under control, we impose the following restrictions:
For example, if an archive has a symlink foo -> bar, and then later in the archive there’s a regular file named foo/blah.py, then a naive unpacker could potentially end up writing a file called bar/blah.py. Don’t be naive.
Unpackers MUST verify that these rules are followed, because without them attackers could create evil symlinks like foo -> /etc/passwd or foo -> ../../../../../etc + foo/passwd -> ... and cause havoc.
This isn’t really in the scope of this PEP, but since conda is a popular way to distribute binary Python interpreters, it’s a natural question.
The simple answer is: conda is great! But, there are lots of python users who aren’t conda users, and they deserve nice things too. This PEP just gives them another option.
The deeper answer is: the maintainers who upload packages to PyPI are the backbone of the Python ecosystem. They’re the first audience for Python packaging tools. And one thing they want is to upload a package once, and have it be accessible across all the different ways Python is deployed: in Debian and Fedora and Homebrew and FreeBSD, in Conda environments, in big companies’ monorepos, in Nix, in Blender plugins, in RenPy games, ….. you get the idea.
All of these environments have their own tooling and strategies for managing packages and dependencies. So what’s special about PyPI and wheels is that they’re designed to describe dependencies in a standard, abstract way, that all these downstream systems can consume and convert into their local conventions. That’s why package maintainers use Python-specific metadata and upload to PyPI: because it lets them address all of those systems simultaneously. Every time you build a Python package for conda, there’s an intermediate wheel that’s generated, because wheels are the common language that Python package build systems and conda can use to talk to each other.
But then, if you’re a maintainer releasing an sdist+wheels, then you naturally want to test what you’re releasing, which may depend on arbitrary PyPI packages and versions. So you need tools that build Python environments directly from PyPI, and conda is fundamentally not designed to do that. So conda and pip are both necessary for different cases, and this proposal happens to be targeting the pip side of that equation.
It might be cool to have an “sdist” equivalent for pybis, i.e., some kind of format for a Python source release that’s structured-enough to let tools automatically fetch and build it into a pybi, for platforms where prebuilt pybis aren’t available. But, this isn’t necessary for the MVP and opens a can of worms, so let’s worry about it later.
Pybi builders have the power to pick and choose what exactly goes inside. For example, you could include some preinstalled packages in the pybi’s site-packages directory, or prune out bits of the stdlib that you don’t want. We can’t stop you! Though if you do preinstall packages, then it’s strongly recommended to also include the correct metadata (.dist-info etc.), so that it’s possible for Pip or other tools to understand out what’s going on.
For my prototype “general purpose” pybi’s, what I chose is:
Rationale: for traditional standalone python installers that are targeted at end-users, you probably want to include at least pip, to avoid bootstrapping issues (PEP 453). But pybis are different: they’re designed to be installed by “smart” tooling, that consume the pybi as part of some kind of larger automated deployment process. It’s easier for these installers to start from a blank slate and then add whatever they need, than for them to start with some preinstalled packages that they may or may not want. (And besides, you can still run python -m ensurepip.)
Rationale: the top-level test module contains CPython’s own test suite. It’s huge (CPython without test is ~37 MB, then test adds another ~25 MB on top of that!), and essentially never used by regular user code. Also, as precedent, the official nuget packages, the official manylinux images, and multiple Linux distributions all leave it out, and this hasn’t caused any major problems.
So this seems like the best way to balance broad compatibility with reasonable download/install sizes.
No backwards compatibility considerations.
No security implications, beyond the fact that anyone who takes it upon themselves to distribute binaries has to come up with a plan to manage their security (e.g., whether they roll a new build after an OpenSSL CVE drops). But collectively, we core Python folks are already maintaining binary builds for all major platforms (macOS + Windows through python.org, and Linux builds through the official manylinux image), so even if we do start releasing official CPython builds on PyPI it doesn’t really raise any new security issues.
This isn’t targeted at end-users; their experience will simply be that e.g. their pyenv or tox invocation magically gets faster and more reliable (if those projects’ maintainers decide to take advantage of this PEP).
This document is placed in the public domain or under the CC0-1.0-Universal license, whichever is more permissive.
Source: https://github.com/python/peps/blob/main/peps/pep-0711.rst
Last modified: 2025-02-01 08:55:40 UTC