I believe beyond technical details we should establish a new PSF Work Group for HTTP to better acquire resources and funding to pay all of you to solve this problem.

There is no reason why we should be unorganized or alone in this. A PSF Work Group would allow us to better leverage fiscal sponsorship, governance, and cross-maintenance of projects.

From a technical perspective, my ideal world would be:

1. Leave urllib3 and requests more or less alone. Every change is a breaking change. They have far too many users. Use tidelift to pay maintainers indefinitely.
2. Establish shared, sans-io libraries that we can all build upon for http, http2, and http3/quic.
3. Work together towards a brand new python-https project using the best from all of our experiences and the resources granted by the work group.
4. Urllib3’s value is in its exhaustive test suite - mine what we can and move into shared libraries and into the python-https project.
5. Request’s value is in its UX - borrow what makes sense.

CC’ing some folks where I’m not sure if they’ve seen this or not: @pquentin @RatanShreshtha @nateprewitt @shazow @asvetlov @dstufft

@tomchristie: this is super cool, and thanks for starting the conversation.

I’ll start by summarizing what’s happening with the async-urllib3 work and what we’ve been thinking about there, so we can start figuring out how these different initiatives relate.

The async-urllib3 fork

For the last few years, me & @pquentin & @RatanShreshtha have been slowly working on adding async support to urllib3 (also incorporating some older work by @lukasa). The repo and issue tracker is here, and the basic approach is described here: https://github.com/urllib3/urllib3/issues/1323

What we’ve done so far

• The core HTTP/1.1 support has been totally replaced – http.client has been ripped out and replaced by h11 + our own networking code.
• We have both sync + async versions of the public APIs
• The sync API works on python 2.7 and python 3.4+
• The async API works on python 3.5+, on Trio and Twisted. Adding other backends is quite easy – at the low end, the Trio backend is 55 lines of code; at the high end, the Twisted backend is 184 lines of code, because we have to implement our own flow-controlled stream layer and error unwinding.
  • We’ve been leaning towards keeping these internal, because they’re small enough that I think the benefits from being able to refactor the interface with the rest of the library will outweigh the costs of maintaining them.
• We’re still close enough to urllib3 upstream that we can use git merge to pull in their ongoing work (which there’s quite a bit of, to fix all kinds of exotic edge cases: https://github.com/urllib3/urllib3/pulls?q=is%3Apr+is%3Aclosed)
• We support basically everything upstream urllib3 does except for urllib3.contrib, which means: SOCKS, alternative TLS backends (pyopenssl, securetransport), appengine support. It might make sense to port some of these too; we’re not sure.
• Apart from the missing urllib3.contrib features, our sync API is passing the entire urllib3 test suite

What’s left to do

In general, my feeling is that the core HTTP functionality here is really solid. I think I heard @lukasa say once that it’s easy to write 90% of an HTTP client; the last 10% is where all the work is. (I guess this true of everything, but even more so for HTTP.) The async-urllib3 branch doubtless has exciting new bugs we haven’t found yet, but overall this is not a quick proof of concept, it’s a serious attempt at a production library that handles almost all the edge cases I know about, including things that urllib3 has only figured out within the last few months. It even handles early server responses (which is a known problem with classic urllib3, and required multiple iterations to figure out how to make it supportable across multiple networking backends). Though, we do still need to figure out what to do about header casing – https://github.com/python-hyper/h11/issues/31.

There are a bunch of minor things we need to do (e.g. docs, asyncio backend), and also two major ones:

• We currently aren’t doing more than minimal smoke testing for the async versions of our interfaces. We need to async’ify the tests, to run against all the async backends too. This should be mostly mechanical, EXCEPT…
• …One thing I’ve learned over the last few years is that urllib3’s public interfaces are too big – there’s a bunch of random bits and pieces that shouldn’t be exposed. Some of this is pretty trivial to fix (just add underscores). But the trickier part is the session APIs, PoolManager/HTTPConnectionPool/HTTPSConnectionPool/etc. These expose a bunch of details that should be handled internally, and the exposed details don’t necessarily make much sense (why does each host get its own session object?). This also makes writing generic tests unnecessarily tiresome, because we need to test all these classes separately, pick the sync/async version as appropriate, etc. Ideally there would just be a single session type that all calls start with, and we could pass in the appropriate version as a test fixture. I think this part of urllib3 is problematic enough that it’s worth reworking in any kind of “v2” project.

urllib3 vs async-urllib3 vs httpcore vs requests vs request3 vs idek

OK so that’s what we’ve been working on what the issues we’ve found. What about the larger strategy? First, just to lay out my general assumptions:

If it’s at all possible, our goal should be to converge on a single implementation of the core code for making HTTP requests, that almost everyone uses (either directly or via wrappers like requests is currently). HTTP clients have endless edge cases, so the more eyeballs we have on a single library, the more we can all benefit from each other’s experiences. Right now in our urllib3 branch, the Trio-specific code is ~2% of the total library (not counting tests, contrib, . It’s ridiculous that we can’t share the other ~98%.

Right now urllib3 is kinda that, except that it doesn’t handle async, hence the proliferation of async libraries.

Unfortunately urllib3 can’t add async without at least some backcompat breakage, because of all the exposed internals. (The public API exposes that it’s using http.client under the hood, it has dict-like interfaces that need to become async, etc.) And urllib3 is stupendously widely used, so our new library to rule them all is going to need a different name, and be parallel-installable to let people migrate gradually.

I still have hope that we can switch requests over to a new async-capable backend without breaking the world. The requests API is much smaller, and if we could pull it off this would (a) save a lot of migration work for people around the world, and (b) make the overall migration go much faster – which in turn means the folk here will get to (eventually) waste less energy on maintaining the old LTS releases of everything. In my perfect world, there’s no requests3 package because we don’t need it.

I don’t have a strong opinion on Python 2 support right now. It’s obviously getting less important every day. But the last stragglers are going to be projects like pip and botocore, which need a HTTP client, and would really like to have access to async support. Maybe they’ll be happy with using different clients on py2 and py3 (and in pip’s case, vendoring multiple clients)? I’m assuming requests itself will need to support py2 for another year+, and if py2 support is the difference between being able to switch requests vs having to convince everyone to migrate off requests, then that might be enough to make py2 support worth it. I don’t really want to keep caring about py2, but my overriding goal is to minimize the number of HTTP libraries we all have to support, and if py2 makes a difference there I’m willing to hold my nose and do it. …Depending on how hard it is to support py2, which we don’t know yet either.

I’m not super interested in ASGI/WSGI integration – it’s a neat feature that people will like, but not my main focus (and Trio will have the ability to mock out the network itself for testing, so you don’t necessarily need this kind of support inside individual libraries). I do wonder how you’ll provide an async API to WSGI apps or a sync API to ASGI apps, though?

I think talking about HTTP/2 is kinda premature, honestly. I looked at httpcore/dispatch/http2.py, and AFAICT it doesn’t support outgoing flow control or PING handling (both of which are protocol violations), and it doesn’t support multiplexing (which pretty much makes HTTP/2 support useless). And fixing these will require some substantial architectural changes, because they require background tasks and shared state across multiple connections. Which in turn will make it significantly more complicated to support multiple concurrency backends, and means you need to somehow disable HTTP/2 entirely when running in sync mode… it’s a lot of extra complexity. I think we should be strategizing on the shortest path to something shippable, and HTTP/2 is not on the critical path for that. We definitely want to get there eventually, and we need to keep an eye on it to make sure we don’t do anything that rules it out, but we don’t want to get people excited about something that we can’t deliver yet…

(BTW, we might also want to think about websocket client support eventually too – with HTTP/2 you can have HTTP and WS traffic over a single connection.)

Anyway. Looking at httpcore, my overall impression is … surprisingly complementary to the async-urllib3 work? The async-urllib3 stuff is really strong on low-level protocol stuff, but the public API has a decade of accumulated cruft. httpcore feels like it’s a few years away from handling all the gnarly edge cases, but the overall API and structure seem way more thought-through. I wonder if there’s any way to combine forces on that basis?