[Distutils] Metadataformat PEP 426 on PyPI?

2013-07-03 Thread Alexander Schneider 
Hello and sorry if I am on the wrong mailing list.

I'm working on a dependency resolution resolver and wanted to implement
support for the new Metadata format. (As of now i'm parsing the setup.py
for dependency information and am dependent on a self build metadata
database of all PyPI packages)

Will there be build-in Metadata in the new PEP 426 format online on PyPI
for all packages? If yes, are there already specifications on how they
will be retreavable?

Thanks,

Alexander Schneider
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Metadataformat PEP 426 on PyPI?

2013-07-03 Thread Nick Coghlan 
On 3 July 2013 19:17, Alexander Schneider 
alexander.schnei...@uni-duesseldorf.de wrote:

 Hello and sorry if I am on the wrong mailing list.

 I'm working on a dependency resolution resolver and wanted to implement
 support for the new Metadata format. (As of now i'm parsing the setup.py
 for dependency information and am dependent on a self build metadata
 database of all PyPI packages)

 Will there be build-in Metadata in the new PEP 426 format online on PyPI
 for all packages? If yes, are there already specifications on how they
 will be retreavable?


Yes there will, but actually figuring out the details of those APIs is some
time away. Note that the version currently referenced from the PEP is a
little out of date (
http://mail.python.org/pipermail/distutils-sig/2013-June/021357.html). I
will hopefully get it updated at the PyCon AU sprints next week.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Metadataformat PEP 426 on PyPI?

2013-07-03 Thread Vinay Sajip 
Alexander Schneider Alexander.Schneider at uni-duesseldorf.de writes:


 Will there be build-in Metadata in the new PEP 426 format online on PyPI
 for all packages? If yes, are there already specifications on how they
 will be retreavable?

I have experimental support for PEP 426 metadata available, which is
up-to-date with the spec apart from the changes Nick linked to. For any
given package, you can access some JSON at an URL based on the project name.
For example, setuptools 0.7.5 metadata is available at

http://www.red-dove.com/pypi/projects/S/setuptools/package-0.7.5.json

If you deserialize the JSON at an URL like the above into a dict, the PEP
426 metadata is available in the subdict at key index-metadata in the
top-level dict. Example from setuptools 0.7.5:

  index-metadata: {
description: omitted for brevity, 
license: PSF or ZPL, 
contacts: [
  {
role: author, 
name: The fellowship of the packaging, 
email: distutils-sig@python.org
  }
], 
summary: Easily download, build, install, upgrade, and uninstall
Python packages, 
project_urls: {
  Home: https://pypi.python.org/pypi/setuptools;
}, 
keywords: [
  CPAN, 
  PyPI, 
  distutils, 
  eggs, 
  package, 
  management
], 
metadata_version: 2.0, 
extras: [
  certs, 
  ssl
], 
version: 0.7.5, 
run_may_require: [
  {
environment: sys_platform=='win32', 
dependencies: [
  wincertstore (== 0.1)
], 
extra: ssl
  }, 
  {
environment: sys_platform=='win32' and python_version=='2.4', 
dependencies: [
  ctypes (== 1.0.2)
], 
extra: ssl
  }, 
  {
dependencies: [
  certifi (== 0.0.8)
], 
extra: certs
  }, 
  {
environment: python_version in '2.4, 2.5', 
dependencies: [
  ssl (== 1.16)
], 
extra: ssl
  }
], 
classifiers: [
  Development Status :: 5 - Production/Stable, 
  Intended Audience :: Developers, 
  License :: OSI Approved :: Python Software Foundation License, 
  License :: OSI Approved :: Zope Public License, 
  Operating System :: OS Independent, 
  Programming Language :: Python :: 2.4, 
  Programming Language :: Python :: 2.5, 
  Programming Language :: Python :: 2.6, 
  Programming Language :: Python :: 2.7, 
  Programming Language :: Python :: 3, 
  Programming Language :: Python :: 3.1, 
  Programming Language :: Python :: 3.2, 
  Programming Language :: Python :: 3.3, 
  Topic :: Software Development :: Libraries :: Python Modules, 
  Topic :: System :: Archiving :: Packaging, 
  Topic :: System :: Systems Administration, 
  Topic :: Utilities
], 
name: setuptools
  },

I expect this metadata to track the PEP as changes to it are published.
Currently, the top-level dict contains some legacy representations of the
metadata which will be removed in due course.

I would hope that once the dust settles on the PEP, this metadata (the PEP
426 part) can be migrated to PyPI.

Regards,

Vinay Sajip

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Metadataformat PEP 426 on PyPI?

2013-07-03 Thread PJ Eby 
On Wed, Jul 3, 2013 at 10:51 AM, Vinay Sajip vinay_sa...@yahoo.co.uk wrote:
 If you deserialize the JSON at an URL like the above into a dict, the PEP
 426 metadata is available in the subdict at key index-metadata in the
 top-level dict. Example from setuptools 0.7.5:

   index-metadata: {
   
 name: setuptools
   },

 I expect this metadata to track the PEP as changes to it are published.
 Currently, the top-level dict contains some legacy representations of the
 metadata which will be removed in due course.

Just an FYI, not sure if this is an issue with your converter or with
the new spec, but the metadata shown for setuptools is missing
something important: 0.7.x pins specific distributions of its
dependencies using dependency_links URLs with #md5 hashes, so that SSL
support can be installed in a reasonably secure manner, as long as
you're starting from a trusted copy of the distribution.  The
converted metadata you show lacks this pinning.

Granted, the pinning is somewhat kludged, and the specific need is
perhaps a rare use case outside of installer tools themselves.  But I
thought it worth pointing out as a limitation of either the converter
or with the spec itself in relation to version support.
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Metadataformat PEP 426 on PyPI?

2013-07-03 Thread Vinay Sajip 
PJ Eby pje at telecommunity.com writes:

 Just an FYI, not sure if this is an issue with your converter or with
 the new spec, but the metadata shown for setuptools is missing
 something important: 0.7.x pins specific distributions of its
 dependencies using dependency_links URLs with #md5 hashes, so that SSL
 support can be installed in a reasonably secure manner, as long as
 you're starting from a trusted copy of the distribution.  The
 converted metadata you show lacks this pinning.

True, although I do capture the dependency links under the 'dependency-urls'
key of the top level dict of the JSON I linked to. While dependency_links is
not directly supported by PEP 426, the intent is there via direct references.

When installing using distlib/distil, SSL host verification and hash
verification are done, even when direct references are not specified, since
the versions of dependencies are pinned. For example, if I install
setuptools into a fresh venv:

$ pyvenv-3.3 /tmp/venv
$ distil -e /tmp/venv install setuptools [ssl,certs]
Checking requirements for setuptools (0.7.7) ... done.
The following new packages will be downloaded and installed:
certifi (0.0.8) [for setuptools]
setuptools (0.7.7)
Proceed? (y/n) y
Downloading certifi-0.0.8.tar.gz to /tmp/tmpccek0f [for setuptools]
115KB @ 667 KB/s 100 % Done: 00:00:00
Unpacking ... done.
Downloading setuptools-0.7.7.tar.gz to /tmp/tmpchxc1x
736KB @ 393 KB/s 100 % Done: 00:00:01
Unpacking ... done.
[installation feedback snipped]

Below is an extract from distil.log for the above installation, showing the
downloading and verification operations:

Downloading certifi-0.0.8.tar.gz to /tmp/tmpccek0f [for setuptools]
Digest specified: dc5f5e7f0b5fc08d27654b17daa6ecec
Host verified: pypi.python.org
Digest verified: dc5f5e7f0b5fc08d27654b17daa6ecec
Library location: venv site-packages
Downloading setuptools-0.7.7.tar.gz to /tmp/tmpchxc1x
Digest specified: 0d7bc0e1a34b70a97e706ef74aa7f37f
Host verified: pypi.python.org
Digest verified: 0d7bc0e1a34b70a97e706ef74aa7f37f
Library location: venv site-packages

Distil includes the Mozilla certs and thus is able to do SSL host
validation. The hash support is currently limited to MD5 because PyPI has
not supported other formats, but I expect that will be rectified in due course.

Regards,

Vinay Sajip

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Metadataformat PEP 426 on PyPI?

2013-07-03 Thread PJ Eby 
On Wed, Jul 3, 2013 at 2:34 PM, Donald Stufft don...@stufft.io wrote:
 PEP426 does not support dependency_links.

Right - I would've expected direct references in this scenario,
assuming the PEP still has them.
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Metadataformat PEP 426 on PyPI?

2013-07-03 Thread Donald Stufft 

On Jul 3, 2013, at 7:38 PM, PJ Eby p...@telecommunity.com wrote:

 On Wed, Jul 3, 2013 at 2:34 PM, Donald Stufft don...@stufft.io wrote:
 PEP426 does not support dependency_links.
 
 Right - I would've expected direct references in this scenario,
 assuming the PEP still has them.

Yea PEP440 direct references can be used as an approximate dependency_links 
replacement with the caveat you can't publish them on PyPI.

-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig