[Distutils] [Catalog-sig] setuptools or PyPI problem...?

Richard Jones richardjones at optushome.com.au
Fri Sep 23 02:25:51 CEST 2005 

On Tue, 23 Aug 2005 04:26 am, Ian Bicking wrote:
> I don't know which side this belongs to, but I had a problem when I
> tried to create a package with a "-" in it ("Paste-Deploy").  setup.py
> register worked fine, and created a "Paste-Deploy" project; however,
> when I did an upload it created a "Paste_Deploy-0.1.tar.gz" file, and
> PyPI wouldn't accept it, I believe because it thought it belonged to the
> (nonexistant) Paste_Deploy project.

The only restrictions PyPI places on filenames for uploads are:

        # check for valid filenames
        filename = content.filename
        if not safe_filenames.match(filename):
            raise FormError, 'invalid distribution file'

        # check for dodgy filenames
        if '/' in filename or '\\' in filename:
            raise FormError, 'invalid distribution file'

        # check the file for valid contents based on the type
        if not verify_filetype.is_distutils_file(content, filename, filetype):
            raise FormError, 'invalid distribution file'

Where:

  safe_filenames = re.compile(r'.+?\.(exe|tar\.gz|bz2|rpm|deb|zip|tgz|egg)$',
      re.I)

and "is_distutils_file" just looks at the extension and pokes into the file 
based on the extension to make sure that an ".exe" uplood looks kinda like an 
installer, and ".zip" and ".egg" uploads look kinda like ZIP files of 
distutils origin.

No checks are made that a filename matches a package name. So given the 
metadata:

     setup(
         name="To-Do List",
         version="1.23 alpha!",
         ...
     )

as long as that *name* (and version) is passed unchanged to PyPI, a file named 
"frozzleplop-1.2.3.zip" could be attached to the "To-Do List" package.

I can only assume that setuptools is mutating the name/version in order to 
generate a safe filename, but then passing the mutated name/version to PyPI 
as the release identifier. I think it's an unacceptable change to make to 
PyPI to accept the mutated name/version, as the name/version represents the 
unique identifier in the database for a package. Unique identifier collisions 
are possible when you start mangling them, and I'd really prefer to avoid 
such things.


     Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/distutils-sig/attachments/20050923/7f0886cb/attachment.pgp

More information about the Distutils-SIG mailing list