[Catalog-sig] egg_info in PyPI

"Martin v. Löwis" martin at v.loewis.de
Sat Sep 18 09:41:35 CEST 2010

> FYI, egg-info directories can store arbitrary data (see e.g. the
> EggTranslations package, which uses it for localization resources), so
> you may want to impose some restrictions on *which* metadata files to
> include.

You mean, so that it doesn't include malware, porn, or other spam?
That would be useful, I guess.

> Second, if a user uploads a source distribution built with setuptools,
> it will include an .egg-info directory automatically, so you can simply
> extract it from there. Conversely, if the source distribution is *not*
> built with setuptools, then building it with setuptools would not
> produce much information in the egg-info anyway.

I see. I'll try to start with that as an assumption, but will still try
to validate it wrt. real data.

> SOURCES.txt # a manifest of the sdist contents
> top_level.txt # list of top-level package/module names
> scripts/ # source code of scripts in the package)
> zip-safe or not-zip-safe # flag file
> I don't think that most of these are useful for PyPI searches, though I
> suppose a listing of the name of the scripts the package includes could
> be useful.

I really try PyPI not to interpret any of these data. So I rather err on
the inclusive side.

> I'm not sure how useful it is to just have URLs for accessing the files,
> though, vs. having actual searches on structured data provided in the
> files. For example, an index of projects by package or module names, or
> of projects that provide a particular entry point.

In principle, it should be possible to let other services provide such
indices. I'd rather provide the files as-is for the moment, and see
what kind of facilities people would desire on top of it.


More information about the Catalog-SIG mailing list