Pip: Installation via `get-pip.py` can be made single line in docs
What's the problem this feature will solve?
Installation docs currently suggest a two step process for installing usingn curl and get-pip.py. This could be made simpler by piping the output from curl to python.
Describe the solution you'd like
curl -L https://bootstrap.pypa.io/get-pip.py | python
Alternative Solutions
The current way is not too bad either, its a minor optimization in user's experience.
Additional context
Was installing it myself and discovered this could be improved. Couldn't find a better category to submit this issue as.
saytosid
All 3 comments
I am not sure if pipe is available on Windows Command Prompt, for which this instruction applies as well.
Also this solution might not be extensible in other cases, e.g. when we want to invoke get-pip.py with options
deveshks
on 16 Jun 2020
Also, I think that piping the download direct to Python encourages people to execute unreviewed code direct from the web, which maybe isn't what we want.
pfmoore
on 16 Jun 2020
It is, generally, considered best practice to avoid / not suggest users to do curl | sh.
There are a lot of opinion pieces about this topic, on the Internet. While I'm not going to attempt to provide a summary of the various arguments here, here's one of the pieces talking about the pitfalls of recommending curl | sh. The security concerns, the correctness concerns and more are relevant to get-pip.py, and as Paul pointed out, we don't want users to get used to doing things this way.
I'm going to go ahead and close this issue now, since this has been discussed in the past (I can't find the issue/PR where this was discussed last, at the moment). Thanks @saytosid for filing this issue! ^.^
pradyunsg
on 16 Jun 2020
Related issues
jiapei100
·
3Comments
lululukas
·
3Comments
cjolowicz
·
3Comments
yizhang-zen
·
3Comments
sbidoul
·
3Comments
Most helpful comment
Also, I think that piping the download direct to Python encourages people to execute unreviewed code direct from the web, which maybe isn't what we want.