[Python-Dev] Fwd: PEP 426 is now the draft spec for distribution metadata 2.0
Vinay Sajip
vinay_sajip at yahoo.co.uk
Thu Feb 21 01:53:59 CET 2013
M.-A. Lemburg <mal <at> egenix.com> writes:
> The suggestion to have the metadata available on PyPI doesn't
> have anything to do with security.
>
> It's about being able to determine compatibility and select the
> right distribution file for download. The metadata also helps in
> creating dependency graphs, which are useful for a lot of things.
FYI, distlib already uses metadata in this way. Note that:
1. Dependency information is locked away in setup.py files, e.g in kwargs to
the setup() call.
2. PyPI does not provide access to this metadata.
So I have had to write code to extract what information I could out of setup.py
setup() and into metadata that can be used. I have, for now, hosted it on my
own server, but it can be used for e.g. determining complete dependency graphs
without ever actually downloading any distributions. Distlib provides access to
it:
$ python finddeps.py pyramid
12 dists, elapsed time: 4.35 secs
----------------------------------------
Download order:
----------------------------------------
download setuptools (0.6c11) [for pyramid, zope.interface, zope.deprecation]
download PasteDeploy (1.5.0) [for pyramid]
download repoze.lru (0.6) [for pyramid]
download venusian (1.0a7) [for pyramid]
download MarkupSafe (0.15) [for Mako]
download translationstring (1.1) [for pyramid]
download Chameleon (2.11) [for pyramid]
download WebOb (1.2.3) [for pyramid]
download zope.interface (4.0.3) [for pyramid]
download Mako (0.7.3) [for pyramid]
download zope.deprecation (4.0.2) [for pyramid]
download pyramid (1.4)
In the above, nothing was actually downloaded except the metadata. It's just
indicating an intuitive ordering for download based on a topological sort of
the dependency graph - for pyramid, in this case.
Regards,
Vinay Sajip
More information about the Python-Dev
mailing list