alexchamberlain parent
For a source package based on setup tools, setup.py is executed with a minimal environment and can run arbitrary code.
You can (and should!) tell pip not to do this with '--only-binary=:all:'. Building from source is a lousy default.
Requiring increasingly long arcane incantations in the name of backwards compatibility is a terrible design philosophy and introduces security fatigue. Most users will not use aliases, and it's poor security posture to ask them to.
Given how often the python community already deals with breaking changes, it shouldn't be much different for pip to adopt saner defaults in a new major version.
While I agree, pip has very strong backward compatibility requirements. I'm not sure why, maybe because people tend to upgrade it without considering the consequences.