[Distutils] Notes on pip's requirements for PEP 517

[Nick Coghlan]

On 18 July 2017 at 12:28, Nathaniel Smith <njs at pobox.com> wrote:
> On Jul 17, 2017 8:48 AM, "Paul Moore" <p.f.moore at gmail.com> wrote:
> On 17 July 2017 at 14:45, Nathaniel Smith <njs at pobox.com> wrote:
>> ...should they be required to have PKG-INFO? This seems like a
>> relevant question regardless of whether pip goes with "strategy option
>> #2" :-).
>
> A note of caution here - this way lies (at least some level) of
> defining an official sdist format. I'm not against that (specifically,
> I'd be happy if we did that, just formalising what setuptools
> currently does in some usable form, and leave any sort of "sdist 2.0"
> debate for when we've all got our breath back after this discussion)
> but I'll note that we went round this loop very early on here (which
> resulted in the PEP being written in terms of "source trees") so we
> need to be careful not to go back over old ground.
>
> There's already a short paragraph that gives some minimal requirements on
> sdists; we needed it for build_sdist. Now that I look again though, it turns
> out that it already mandates the presence of PKG-INFO.

Right, PEP 517 says that sdists created via the build_sdist hook
should contain PKG-INFO. However, that's not the problematic case for
sdist detection in frontends: the problem is that there's nothing
stopping people from having a PKG-INFO file lying around in a
directory that *isn't* an unpacked sdist (whether deliberately or
accidentally).

This is what leads to the situation where I expect PEP 517 *backends*
are going to be able to more reliably check for an unpacked sdist: as
tools chosen specifically by software publishers, they will have more
freedom to say "<Don't do thing> if you want your builds to work
reliably" (where "<Don't do thing>" in this case might be "Don't check
a complete copy of your PKG-INFO file into source control").

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia