On Tue, 23 Aug 2005 04:26 am, Ian Bicking wrote:
I don't know which side this belongs to, but I had a problem when I tried to create a package with a "-" in it ("Paste-Deploy"). setup.py register worked fine, and created a "Paste-Deploy" project; however, when I did an upload it created a "Paste_Deploy-0.1.tar.gz" file, and PyPI wouldn't accept it, I believe because it thought it belonged to the (nonexistant) Paste_Deploy project.
The only restrictions PyPI places on filenames for uploads are: # check for valid filenames filename = content.filename if not safe_filenames.match(filename): raise FormError, 'invalid distribution file' # check for dodgy filenames if '/' in filename or '\\' in filename: raise FormError, 'invalid distribution file' # check the file for valid contents based on the type if not verify_filetype.is_distutils_file(content, filename, filetype): raise FormError, 'invalid distribution file' Where: safe_filenames = re.compile(r'.+?\.(exe|tar\.gz|bz2|rpm|deb|zip|tgz|egg)$', re.I) and "is_distutils_file" just looks at the extension and pokes into the file based on the extension to make sure that an ".exe" uplood looks kinda like an installer, and ".zip" and ".egg" uploads look kinda like ZIP files of distutils origin. No checks are made that a filename matches a package name. So given the metadata: setup( name="To-Do List", version="1.23 alpha!", ... ) as long as that *name* (and version) is passed unchanged to PyPI, a file named "frozzleplop-1.2.3.zip" could be attached to the "To-Do List" package. I can only assume that setuptools is mutating the name/version in order to generate a safe filename, but then passing the mutated name/version to PyPI as the release identifier. I think it's an unacceptable change to make to PyPI to accept the mutated name/version, as the name/version represents the unique identifier in the database for a package. Unique identifier collisions are possible when you start mangling them, and I'd really prefer to avoid such things. Richard