Exclude pip from the app image

[edmorley]

Once pip is installed into its own layer (see #254), it will be possible to make the layer be a build time only layer (and thus exclude pip from the run image) should we wish.

Doing so would:

• prevent support tickets where customers have tried to add dependencies to their app in a one-off dyno at run-time using pip install, not realising that each dyno is separate and has an ephemeral filesystem (this happens more than one might expect)
• prevent the pitfalls from apps trying to pip install packages at app boot (eg via web: pip install foo && ... in their Procfile) - which leads to slow app boot, non-determinism (each time a dyno boots a different version of a package or its transitive dependencies can be installed), and reliability issues (if PyPI is down the app can't start)
• help with the supply chain surface area (which will become increasingly relevant once we add SBOMs and users start being more app-image dependency conscious)
• reduce app image size by 13 MB
• mean fewer layers have to be pushed to the remote registry
• match the approach used for Poetry apps, where we don't make Poetry available at run-time either.

Users that needed pip at run-time for a temporary task could use python -m ensurepip --default-pip to make it available again (this command doesn't even have to download anything - it uses the pip bundled with Python).

Or if pip is an actual run-time dependency of the app, then the app can add pip to its requirements.txt (which much more clearly conveys the requirements of the app, and also allows the app to pick what pip version it needs at run-time - something that isn't possible with the pip installed by the buildpack).

Open questions:

1. Are there any use-cases (beyond one-off debugging) that need pip at run-time? (pip doesn't have a pip run type command, so I'm struggling to come up with any use-cases where it might be used as part of normal day to day app operation)
2. Should we add a shim pip script that does something like echo "pip isn't installed at run-time, if you need it temporarily run 'python -m ensurepip --default-pip' to install it" && exit 1 to improve discoverability?
3. Should there be an option to make pip be permanently available at run-time after all? (Though I'd prefer not to add extra options where possible)

GUS-W-16697386.

[edmorley]

So I'm leaning towards trying to do this sooner rather than later, since it's a change that really needs to be made whilst CNBs on Heroku are still in preview, rather than after they GA (reach General Availability).

Ref the open questions:

1. I still can't think of any use-cases, and the only way we're going to find them is via feedback, which is what the preview process is for.
2. I think we can skip this initially - since it's easy enough to add later, and whether it's worth doing or not depends on the feedback we get / whether users are confused after the docs are finished etc.
3. I don't think we should support this for now since (a) if an app really does have a use-case for needing pip permanently at run-time (vs one off debugging by a human in a single container) then it can (and IMO really should) add pip as a dependency in its requirements.txt file, (b) more buildpack options means more to test, document, maintain - and so something we should not add until we know there is definitely a need for it.