-
Notifications
You must be signed in to change notification settings - Fork 307
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: make twine check
validate package dependency data
#813
Comments
It doesn't. It's also not 100% clear what you're proposing we check here. Should we be checking just |
I wouldn't expect twine to be contacting pypi to check that packages exist. I want the check to parse all of install_requires and extra_requires and just make sure it's syntactically valid. Today, if I wrote Ideally the check would also be looking at |
I think the issue as described is out of scope for Twine. My understanding is that Twine is agnostic of the build backend, i.e., I don't think there's any code specific to setuptools, and I think Twine can upload packages from flit, poetry, etc.
What Twine does read is the standardized package metadata, via the pkginfo library. So, the equivalent of Lines 160 to 166 in 3040bf9
However, I think this issue is fundamentally a duplicate of #430, which suggests using Aside: setuptools currently doesn't write |
I hadn't found #430 before filing, and would be comfortable closing this as a duplicate. Also, thanks for clearing up my confusion on setuptools vs packaging. I didn't mean to phrase this as something specific to any given build backend -- I want The only thing not captured by #430 that I want is to do stricter validation than what is done by pypi/warehouse. I don't think there's any value in supporting the loose "legacy version" parsing behavior if this check is added. |
I think that might already be under discussion in packaging and/or warehouse in existing issues. IIRC one of the hopes with pypa/packaging#147 is that packaging will define reusable validation for all backends and repositories. |
I recently had a bug surface in a package I maintain, in which a
python_version
spec on a dependency was malformed. Specifically, we hadtyping-extensions; python_version<"3,8"
.twine check
passes on the package builds in this state. This led to a downstream failure when other tools (poetry
) couldn't parse the dependency data.There doesn't appear to be any relevant command which could be given to
pip
orsetuptools
.twine check
is the closest thing we have.My specific case traces down into
setuptools
, where there's support for legacy specifiers in the vendored copy ofpackaging
.I think it would be awesome if we could specify that the version format in the
setuptools
grammar be just the PEP440 versions, and then use that grammar intwine check
to validate more strictly. e.g. Wrap the grammar inbuild_grammar()
and setREQUIREMENT = build_grammar(strict=False)
.I'm happy to work on getting changes accepted into
packaging
andsetuptools
if this seems like a good path.But for any of that to be relevant,
twine check
would have to start parsinginstall_requires
,python_requires
, and extras, which I don't think it does today.The text was updated successfully, but these errors were encountered: