Determine if sdist name is "unique" enough for wheel cache key

[dstufft]

Right now #2618 uses the sdist name as a cache key (though it uses a 1:M relationship to handle sdists which can output multiple different Wheels). We need to figure out if that is sufficient or if we should use the entire URL like the download cache used to use. A pro is that this will allow sharing a wheel cache between multiple indexes, but a con is that there's possible cache corruption between multiple indexes if you don't generate a local version for modifications and the like.

[rbtcollins]

How will we determine this?

[dstufft]

I meant to ping @pypa/pip-developers to see what other people thought, if we could trust that two different repositories (like PyPI and devpi, or two different devpis) that had the same public version (not local version) for the same project (pip-6.1.0.tar.gz for example) would be the same thing. If we don't think it's OK to trust that, do we think that people using multiple repositories with the "same" version but different contents are just getting into undefined behavior territory and thus "here be dragons" or do we think that we need to forgo the benefits of sharing cached wheels amongst multiple repositories.

[dstufft]

To answer your specific question, there's not a good way to determine this besides folks to try and guess and maybe solicit some anecdotal evidence. Mostly I added this issue to remember to do that.

[rbtcollins]

I think its here-be-dragons, because there's no defined guarantee about which repo pip will choose from when two repos have the same version of X.

[dstufft]

Well, you can do --index-url so that you, in a particular invocation of pip, override the default PyPI index so that you only have the one index. In other words, the two indexes don't have to exist in the same invocation since the cache directory is (obviously) shared between them. It's really the effect between two separate unrelated invocations that worries me.

Before auto wheels you could do pip install --index-url https://example.com/ foo==1.0 and then in a different environment do pip install foo==1.0 where the contents of foo 1.0 are different and it would work with no adverse effects (though it'd get confused if you tried to install one into an environment that was already installed, but you can work around that with --upgrade --force-reinstall. After auto wheels whichever one of those you do first is going to be the one you get everytime no matter what you do for --index.

If I recall even when the old download cache used just the URL, there was complaints about it not picking up updated copies of the package, and it was modified so that it also took into account the #md5=fragment of the URL.

I personally think it's a bit silly to have the same version mean different things, I'm mostly worried about breaking someones workflow for a (minor) optimization when guarding against it isn't very hard. I'll probably go ahead and work something up myself for this one, feel free to ignore it for now.

[rbtcollins]

Ok, but if I can help let me know - I hate having release-blocker's on a project.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.