[Distutils] Metadataformat PEP 426 on PyPI?

[Donald Stufft]

On Jul 3, 2013, at 2:19 PM, PJ Eby <pje at telecommunity.com> wrote:

> On Wed, Jul 3, 2013 at 10:51 AM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:
>> If you deserialize the JSON at an URL like the above into a dict, the PEP
>> 426 metadata is available in the subdict at key "index-metadata" in the
>> top-level dict. Example from setuptools 0.7.5:
>> 
>>  "index-metadata": {
>>  ....
>>    "name": "setuptools"
>>  },
>> 
>> I expect this metadata to track the PEP as changes to it are published.
>> Currently, the top-level dict contains some legacy representations of the
>> metadata which will be removed in due course.
> 
> Just an FYI, not sure if this is an issue with your converter or with
> the new spec, but the metadata shown for setuptools is missing
> something important: 0.7.x pins specific distributions of its
> dependencies using dependency_links URLs with #md5 hashes, so that SSL
> support can be installed in a reasonably secure manner, as long as
> you're starting from a trusted copy of the distribution.  The
> converted metadata you show lacks this pinning.
> 
> Granted, the pinning is somewhat kludged, and the specific need is
> perhaps a rare use case outside of installer tools themselves.  But I
> thought it worth pointing out as a limitation of either the converter
> or with the spec itself in relation to version support.
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig

PEP426 does not support dependency_links.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130703/a776377b/attachment.pgp>