After #254, pip is now installed into its own layer rather than into the system site-packages directory inside the Python layer.
This means its now possible to exclude pip from the final app image, by making the pip layer be a build-only layer.
Excluding pip from the final app image:
Prevents several classes of user error/confusion/bad app design patterns seen in support tickets (see #255 for more details).
Reduces app image supply chain surface area.
Reduces app image size by 13 MB and layer count by 1, meaning less to have to push to a remote registry.
Matches the approach used for Poetry, where we don't make Poetry available at run-time either.
Users that need pip at run-time for a temporary debugging task can run python -m ensurepip --default-pip in the container at run-time to make it available again (this command doesn't even have to download anything - it uses the pip bundled with Python).
Or if pip is an actual run-time dependency of the app, then the app can add pip to its requirements.txt (which much more clearly conveys the requirements of the app, and also allows the app to pick what pip version it needs at run-time - something that isn't possible with the pip installed by the buildpack).
Should we find that pip's absence causes confusion in the future, we could always add a wrapper/shim pip script in the app image which does something like echo "pip isn't installed at run-time, if you need it temporarily run 'python -m ensurepip --default-pip' to install it" && exit 1 to improve discoverability. We'll also document pip (and Poetry) being available at build-time only in the docs that will be added by #11.
After #254, pip is now installed into its own layer rather than into the system site-packages directory inside the Python layer.
This means its now possible to exclude pip from the final app image, by making the pip layer be a build-only layer.
Excluding pip from the final app image:
Users that need pip at run-time for a temporary debugging task can run
python -m ensurepip --default-pipin the container at run-time to make it available again (this command doesn't even have to download anything - it uses the pip bundled with Python).Or if pip is an actual run-time dependency of the app, then the app can add
pipto itsrequirements.txt(which much more clearly conveys the requirements of the app, and also allows the app to pick what pip version it needs at run-time - something that isn't possible with the pip installed by the buildpack).Should we find that pip's absence causes confusion in the future, we could always add a wrapper/shim
pipscript in the app image which does something likeecho "pip isn't installed at run-time, if you need it temporarily run 'python -m ensurepip --default-pip' to install it" && exit 1to improve discoverability. We'll also document pip (and Poetry) being available at build-time only in the docs that will be added by #11.Closes #255. GUS-W-16697386.