[Distutils] add "sourceURL" to the metadata 3.0 PEP.

Thomas Güttler guettliml at thomas-guettler.de
Fri Mar 24 17:12:14 EDT 2017

Am 24.03.2017 um 05:59 schrieb Nick Coghlan:
> On 24 March 2017 at 13:24, Wes Turner <wes.turner at gmail.com <mailto:wes.turner at gmail.com>> wrote:
>     On Thu, Mar 23, 2017 at 2:23 AM, Nick Coghlan <ncoghlan at gmail.com <mailto:ncoghlan at gmail.com>> wrote:
>         This means we're not going to be automating the process of getting an editable checkout in the core tools any time soon - there are already 100k+ published packages on PyPI, so anyone that seriously wants to do this is going to have to write their own client utility that attempts to infer it from the metadata that already exists (probably by building atop distlib, since that has all the necessary pieces to read the various metadata formats, both remote and local).
>         Future metadata extensions might help to make such a tool more reliable, but *requiring* metadata changes to be made first will just make it useless (since it wouldn't work at all until after publishers start publishing the new metadata, which would mean waiting years before it covered a reasonable percentage of PyPI).
>     Here's a way to define Requirements and a RequirementsMap with additional data:
>     https://github.com/westurner/pyleset/blob/57140bcef5/setup.py#L118 <https://github.com/westurner/pyleset/blob/57140bcef5/setup.py#L118>
>     It creates a directory full of requirements[.dev].txt files:
>     https://github.com/westurner/pyleset/tree/57140bce/requirements <https://github.com/westurner/pyleset/tree/57140bce/requirements>
>     Additional metadata in Pipfile would be nice;
>     but it would be fairly easy to send a PR to:
>     BLD: setup.py: add the canonical sourceURL
> PEP 426 already has a source URL field: https://www.python.org/dev/peps/pep-0426/#source-url
> It's just not required to be a *version* control reference - it's free to be a reference to a tarball or zip archive instead (just not a reference to the sdist itself, since that will contain a copy of the metadata file).
> However, independently of that concern, "send a PR" is only the first step in updating published metadata to accommodate tasks that package *consumers* want to perform:
> 1. Someone has to write and submit the upstream project patch
> 2. The publisher has to review and accept the change
> 3. The publisher has to publish the new release
> 4. Rinse-and-repeat for dozens/hundreds/thousands of projects, depending on the scope of what you care about
> So the lesson we've learned is that for consumer tasks it's *always* better to start by asking "How can I best achieve my objective without asking publishers to change *anything*?".
> In the case of finding version control references, that's a matter of:
> - looking at Download-URL and Project-URL entries for links that "look like" version control references
> - if that doesn't turn up anything useful, scan the long description
> - once you have a repository reference, look for promising tag names (if the link didn't nominate a specific commit)

This is the spirit of python packaging:

  We love guessing and trying we hate well defined datastructures.

Yes, nothing is more boring then Entity–relationship models. But this provides solid ground.

Yes, I can write code which does the steps you suggest:
 looking at Download-URL, if this ... do that, look for something promising .... on full moon start dancing, but not in april ...

Anyone is free to do what he wants. JSON here, JSON there ... Let's meet again in ten years and have a look how the IT world
changed. My guess: well defined datastructures like protocol buffers will increase and fuzzy data structures like json will decrease.

Unfortunately I have not found a dependency resolver which works for several languages (not just python) yet.

The feeling "I want to leave pip and python-packaging" is here since several years, but up to now I found to concrete path to follow.

I know that all here are doing their best. If you feel insulted, then I am not sorry at all. Since I did not do it.

I just wrote what I feel. This is my personal problem. Not yours.

  Thomas Güttler


More information about the Distutils-SIG mailing list