[Distutils] Metadataformat PEP 426 on PyPI?

PJ Eby pje at telecommunity.com
Wed Jul 3 20:19:16 CEST 2013

On Wed, Jul 3, 2013 at 10:51 AM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:
> If you deserialize the JSON at an URL like the above into a dict, the PEP
> 426 metadata is available in the subdict at key "index-metadata" in the
> top-level dict. Example from setuptools 0.7.5:
>   "index-metadata": {
>   ....
>     "name": "setuptools"
>   },
> I expect this metadata to track the PEP as changes to it are published.
> Currently, the top-level dict contains some legacy representations of the
> metadata which will be removed in due course.

Just an FYI, not sure if this is an issue with your converter or with
the new spec, but the metadata shown for setuptools is missing
something important: 0.7.x pins specific distributions of its
dependencies using dependency_links URLs with #md5 hashes, so that SSL
support can be installed in a reasonably secure manner, as long as
you're starting from a trusted copy of the distribution.  The
converted metadata you show lacks this pinning.

Granted, the pinning is somewhat kludged, and the specific need is
perhaps a rare use case outside of installer tools themselves.  But I
thought it worth pointing out as a limitation of either the converter
or with the spec itself in relation to version support.

More information about the Distutils-SIG mailing list