Create appendix for the tools survey

Signed-off-by: Fridolin Pokorny <fridolin.pokorny@datadoghq.com>
python · dstufft · Apr 3, 2023 · Mar 27, 2023 · Mar 27, 2023 · Mar 28, 2023
commit 6c9e95cae8854565e7f4519586e009c6058a8e92
@@ -189,110 +189,8 @@ A comprehensive survey of the existing installers, libraries, and dependency
 managers in the Python ecosystem analyzed the implications of adding support for
 ``provenance_url.json`` to each tool.
 In summary, no major backwards compatibility issues, conflicts or feasibility blockers
-were found as of the time of writing of this PEP.
-pip
-~~~
-
-The function from pip's internal API responsible for installing wheels, named
-`_install_wheel
-<https://github.com/pypa/pip/blob/10d9cbc601e5cadc45163452b1bc463d8ad2c1f7/src/pip/_internal/operations/install/wheel.py#L432>`__,
-does not store any ``provenance_url.json`` file in the ``.dist-info``
-directory. Additionally, a prototype introducing the mentioned file to pip in
-`pypa/pip#11865`_ demonstrates incorporating logic for handling the
-``provenance_url.json`` file in pip's source code.
-
-As pip is used by some of the tools mentioned below to install Python package
-distributions, findings for pip apply to these tools as well as pip does not
-allow parametrizing creation of files in the ``.dist-info`` directory in its
-internal API. Most of the tools mentioned below that use pip invoke pip as a
-subprocess which has no effect on the eventual presence of the
-``provenance_url.json`` file in the ``.dist-info`` directory.
-
-distlib
-~~~~~~~
-
-`distlib`_ implements low-level functionality to manipulate the
-``dist-info`` directory. The database of installed distributions does not use
-any file named ``provenance_url.json``, based on `the distlib's source code
-<https://github.com/pypa/distlib/blob/05375908c1b2d6b0e74bdeb574569d3609db9f56/distlib/database.py#L39-L40>`__.
-
-Pipenv
-~~~~~~
-
-`Pipenv`_ uses pip `to install Python package distributions
-<https://github.com/pypa/pipenv/blob/babd428d8ee3c5caeb818d746f715c02f338839b/pipenv/routines/install.py#L262>`__.
-There wasn't any additional identified logic that would cause backwards
-compatibility issues when introducing the ``provenance_url.json`` file in the
-``.dist-info`` directory.
-
-installer
-~~~~~~~~~
-
-`installer`_ does not create a ``provenance_url.json`` file explicitly.
-Nevertheless, as per the :ref:`Recording Installed Projects <packaging:recording-installed-packages>`
-specification, installer allows passing the ``additional_metadata`` argument to
-create a file in the ``.dist-info`` directory - see `the source code
-<https://github.com/pypa/installer/blob/f89b5d93a643ef5e9858a6e3f450c83a57bbe1f1/src/installer/_core.py#L67>`__.
-To avoid any backwards compatibility issues, any library or tool using
-installer must not request creating the ``provenance_url.json`` file using the
-mentioned ``additional_metadata`` argument.
-
-Poetry
-~~~~~~
-
-The installation logic in `Poetry`_ depends on the
-``installer.modern-installer`` configuration option (`see docs
-<https://python-poetry.org/docs/configuration#installermodern-installation>`__).
-
-For cases when the ``installer.modern-installer`` configuration option is set
-to ``false``, Poetry uses `pip for installing Python package distributions
-<https://github.com/python-poetry/poetry/blob/2b15ce10f02b0c6347fe2f12ae902488edeaaf7c/src/poetry/installation/executor.py#L543-L544>`__.
-
-On the other hand, when ``installer.modern-installer`` configuration option is
-set to ``true``, Poetry uses `installer to install Python package distributions
-<https://github.com/python-poetry/poetry/blob/2b15ce10f02b0c6347fe2f12ae902488edeaaf7c/src/poetry/installation/wheel_installer.py#L99-L109>`__.
-As can be seen from the linked sources, there isn't passed any additional
-metadata file named ``provenance_url.json`` that would cause compatibility
-issues with this PEP.
-
-Conda
-~~~~~
-
-`Conda`_ does not create any ``provenance_url.json`` file
-`when Python package distributions are installed
 <https://github.com/conda/conda/blob/86e83925e17c68233ac659633bdc4d76b05a245a/conda/common/pkg_formats/python.py#L370-L390>`__.
-
-Hatch
-~~~~~
-
-`Hatch`_ uses pip `to install project dependencies
-<https://github.com/pypa/hatch/blob/dd6e9545a355a0b5b58e065b489c1ef087e3bcaf/src/hatch/env/system.py#L28-L29>`__.
-
-micropipenv
-~~~~~~~~~~~
-
-As `micropipenv`_ is a wrapper on top of pip, it uses
-pip to install Python distributions, for both `lock files
-<https://github.com/thoth-station/micropipenv/blob/8176862ec96df23e152938659d6f45645246e398/micropipenv.py#L393>`__
-as well as `for requirements files
-<https://github.com/thoth-station/micropipenv/blob/8176862ec96df23e152938659d6f45645246e398/micropipenv.py#L977>`__.
-
-Thamos
-~~~~~~
-
-`Thamos`_ uses micropipenv `to install Python package
-distributions
-<https://github.com/thoth-station/thamos/blob/234351025c77cfe28b0df07f7ee017469b57d3f4/thamos/lib.py#L1290>`__,
-hence any findings for micropipenv apply for Thamos.
-
-PDM
-~~~
-
-`PDM`_ uses installer `to install binary distributions
-<https://github.com/pdm-project/pdm/blob/d39a8e5b36c37093ea31e666d0e55fe21b38c16b/src/pdm/installers/installers.py#L241>`__.
-The only additional metadata file it eventually creates in the ``.dist-info``
-directory is `the REFER_TO file
-<https://github.com/pdm-project/pdm/blob/d39a8e5b36c37093ea31e666d0e55fe21b38c16b/src/pdm/installers/installers.py#L197>`__.
+were found as of the time of writing of this PEP. More details about the survey
+can be found in `Appendix: Survey of installers and libraries`_.
 
 Compatibility with direct_url.json
 ----------------------------------
@@ -556,6 +454,113 @@ were intentionally left out of this PEP. However, any input by developers or
 maintainers of these installers is valuable to possibly enrich the
 ``provenance_url.json`` file with information that would help in some way.
 
+Appendix: Survey of installers and libraries
+============================================
+
+pip
+---
+
+The function from pip's internal API responsible for installing wheels, named
+`_install_wheel
+<https://github.com/pypa/pip/blob/10d9cbc601e5cadc45163452b1bc463d8ad2c1f7/src/pip/_internal/operations/install/wheel.py#L432>`__,
+does not store any ``provenance_url.json`` file in the ``.dist-info``
+directory. Additionally, a prototype introducing the mentioned file to pip in
+`pypa/pip#11865`_ demonstrates incorporating logic for handling the
+``provenance_url.json`` file in pip's source code.
+
+As pip is used by some of the tools mentioned below to install Python package
+distributions, findings for pip apply to these tools as well as pip does not
+allow parametrizing creation of files in the ``.dist-info`` directory in its
+internal API. Most of the tools mentioned below that use pip invoke pip as a
+subprocess which has no effect on the eventual presence of the
+``provenance_url.json`` file in the ``.dist-info`` directory.
+
+distlib
+-------
+
+`distlib`_ implements low-level functionality to manipulate the
+``dist-info`` directory. The database of installed distributions does not use
+any file named ``provenance_url.json``, based on `the distlib's source code
+<https://github.com/pypa/distlib/blob/05375908c1b2d6b0e74bdeb574569d3609db9f56/distlib/database.py#L39-L40>`__.
+
+Pipenv
+------
+
+`Pipenv`_ uses pip `to install Python package distributions
+<https://github.com/pypa/pipenv/blob/babd428d8ee3c5caeb818d746f715c02f338839b/pipenv/routines/install.py#L262>`__.
+There wasn't any additional identified logic that would cause backwards
+compatibility issues when introducing the ``provenance_url.json`` file in the
+``.dist-info`` directory.
+
+installer
+---------
+
+`installer`_ does not create a ``provenance_url.json`` file explicitly.
+Nevertheless, as per the :ref:`Recording Installed Projects <packaging:recording-installed-packages>`
+specification, installer allows passing the ``additional_metadata`` argument to
+create a file in the ``.dist-info`` directory - see `the source code
+<https://github.com/pypa/installer/blob/f89b5d93a643ef5e9858a6e3f450c83a57bbe1f1/src/installer/_core.py#L67>`__.
+To avoid any backwards compatibility issues, any library or tool using
+installer must not request creating the ``provenance_url.json`` file using the
+mentioned ``additional_metadata`` argument.
+
+Poetry
+------
+
+The installation logic in `Poetry`_ depends on the
+``installer.modern-installer`` configuration option (`see docs
+<https://python-poetry.org/docs/configuration#installermodern-installation>`__).
+
+For cases when the ``installer.modern-installer`` configuration option is set
+to ``false``, Poetry uses `pip for installing Python package distributions
+<https://github.com/python-poetry/poetry/blob/2b15ce10f02b0c6347fe2f12ae902488edeaaf7c/src/poetry/installation/executor.py#L543-L544>`__.
+
+On the other hand, when ``installer.modern-installer`` configuration option is
+set to ``true``, Poetry uses `installer to install Python package distributions
+<https://github.com/python-poetry/poetry/blob/2b15ce10f02b0c6347fe2f12ae902488edeaaf7c/src/poetry/installation/wheel_installer.py#L99-L109>`__.
+As can be seen from the linked sources, there isn't passed any additional
+metadata file named ``provenance_url.json`` that would cause compatibility
+issues with this PEP.
+
+Conda
+-----
+
+`Conda`_ does not create any ``provenance_url.json`` file
+`when Python package distributions are installed
+<https://github.com/conda/conda/blob/86e83925e17c68233ac659633bdc4d76b05a245a/conda/common/pkg_formats/python.py#L370-L390>`__.
+
+Hatch
+-----
+
+`Hatch`_ uses pip `to install project dependencies
+<https://github.com/pypa/hatch/blob/dd6e9545a355a0b5b58e065b489c1ef087e3bcaf/src/ha
8000
tch/env/system.py#L28-L29>`__.
+
+micropipenv
+-----------
+
+As `micropipenv`_ is a wrapper on top of pip, it uses
+pip to install Python distributions, for both `lock files
+<https://github.com/thoth-station/micropipenv/blob/8176862ec96df23e152938659d6f45645246e398/micropipenv.py#L393>`__
+as well as `for requirements files
+<https://github.com/thoth-station/micropipenv/blob/8176862ec96df23e152938659d6f45645246e398/micropipenv.py#L977>`__.
+
+Thamos
+------
+
+`Thamos`_ uses micropipenv `to install Python package
+distributions
+<https://github.com/thoth-station/thamos/blob/234351025c77cfe28b0df07f7ee017469b57d3f4/thamos/lib.py#L1290>`__,
+hence any findings for micropipenv apply for Thamos.
+
+PDM
+---
+
+`PDM`_ uses installer `to install binary distributions
+<https://github.com/pdm-project/pdm/blob/d39a8e5b36c37093ea31e666d0e55fe21b38c16b/src/pdm/installers/installers.py#L241>`__.
+The only additional metadata file it eventually creates in the ``.dist-info``
+directory is `the REFER_TO file
+<https://github.com/pdm-project/pdm/blob/d39a8e5b36c37093ea31e666d0e55fe21b38c16b/src/pdm/installers/installers.py#L197>`__.
+
 References
 ==========