-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
twine check
should guard against things not accepted by PyPI like version format
#430
Comments
|
Sure, I was thinking about tackling it. |
FWIW, the right way to do this would be to move the validation logic from Warehouse into I've started doing this, but it's quite a bit more complicated than one might expect on first glance. I'm hoping to have this wrapped up this month, but I'd also be willing to hand off the work I've already done if there are folks interested in taking it over that could complete it more quickly. |
I was also thinking about this but decided that it might be too complicated to do at once, I think it could be easier to do such move in smaller pieces. Just |
@di I proposed a similar feature on pypa/setuptools-scm#365, before I remembered this conversation. Do you have a related issue and/or branch for your work thus far? |
Thanks, @di. Is pypa/packaging#147 the related issue? |
Before the magic move of validation does materialize, can we just rely on wheelhouse to validate the packages without uploading them? I am personally not against using official pypi.org as SaaS way for validating if a package is ok, without endup up with it already uploaded. This is key for testing pull-requests (or even developers), so we know that the new changes are ok, even if the user building them may not have the rights to upload the package. |
@bhrutledge Yep that's it. Are you thinking about picking it up? @ssbarnea That seems like an unnecessary round trip and extra work for PyPI. Compared to the same logic existing locally in |
@di Not any time soon; just connecting the dots in case other folks are interested. Thanks for sharing your work. |
Thanks to pypi/warehouse#7582 , pypa/packaging#147 is now resolved, which may unblock progress on this. |
We can make incremental progress here in validating the trove classifiers. We can't address the original issue, however, of being entirely certain that the verison is correct. We can try to parse it and reflect any |
Relevant update here: pypa/packaging#147 (comment), TL;DR: once I finish that we'll be able to do the exact same checks Warehouse does. |
This would be great to have! |
fuzzing-decision (used by taskmanager) uses a direct url reference (allowed by PEP 508). But PyPI cannot accept direct url references. We don't need any of the extras anyways for the wheel (Collector/FTB only). See pypa/twine#430
fuzzing-decision (used by taskmanager) uses a direct url reference (allowed by PEP 508). But PyPI cannot accept direct url references. We don't need any of the extras anyways for the wheel (Collector/FTB only). See pypa/twine#430
Your Environment
N/A
N/A
pip
twine==1.12.1
https://test.pypi.org
Metadata:
The Issue
I'm involved with https://github.com/ansible/ansible-lint packaging.
We're using setuptools-scm plugin to identify the current version of the distribution, then used in its metadata.
I've configured Travis CI to have one job continuously deploying to Test PyPI. This helps us to keep this whole PyPI automation healthy at all times.
Except that it fails.
setuptools-scm
generates PEP440-compliant version based on the previous tag and the current commit:3.5.2.dev35+gaa91980
(where 35 is the distance to tag 3.5.1 and gaa91980 is sha1 of the current commit.+gaa91980
is a local version identifier.Up until today I didn't know that public indexes are discouraged from accepting dists with a version containing local identifier:
Warehouse respects this: https://github.com/pypa/warehouse/blob/27ed636/warehouse/forklift/legacy.py#L190.
And responds with
HTTPError: 400 Client Error: '3.5.2.dev35+gaa91980' is an invalid value for Version. Error: Can't use PEP 440 local versions. See https://packaging.python.org/specifications/core-metadata for url: https://test.pypi.org/legacy/
:https://travis-ci.com/ansible/ansible-lint/jobs/163591117#L1095
So what
twine
has to do with all of this?I think
twine check
should have some--strict
option or so and do those same checks warehouse does in order to inform users about potential problems with metadata happening on the PyPI side and produce a more user-friendly explanation of what's happening.The text was updated successfully, but these errors were encountered: