diff --git a/pep-0426.txt b/pep-0426.txt index d211bdf25..8d9bee231 100644 --- a/pep-0426.txt +++ b/pep-0426.txt @@ -2,9 +2,9 @@ PEP: 426 Title: Metadata for Python Software Packages 2.0 Version: $Revision$ Last-Modified: $Date$ -Author: Daniel Holth , - Donald Stufft , - Nick Coghlan +Author: Nick Coghlan , + Daniel Holth , + Donald Stufft BDFL-Delegate: Nick Coghlan Discussions-To: Distutils SIG Status: Draft @@ -12,15 +12,16 @@ Type: Standards Track Content-Type: text/x-rst Requires: 440 Created: 30 Aug 2012 -Post-History: 14 Nov 2012, 5 Feb 2013, 7 Feb 2013, 9 Feb 2013 +Post-History: 14 Nov 2012, 5 Feb 2013, 7 Feb 2013, 9 Feb 2013, 27-May-2013 Replaces: 345 Abstract ======== -This PEP describes a mechanism for adding metadata to Python distributions. -It includes specifics of the field names, and their semantics and +This PEP describes a mechanism for publishing and exchanging metadata +related to Python distributions. It includes specifics of the field names, +and their semantics and usage. This document specifies version 2.0 of the metadata format. @@ -28,89 +29,351 @@ Version 1.0 is specified in PEP 241. Version 1.1 is specified in PEP 314. Version 1.2 is specified in PEP 345. -Version 2.0 of the metadata format adds fields designed to make -third-party packaging of Python Software easier and defines a formal -extension mechanism. It also adds support for optional features of -distributions and allows the description to be placed into a payload -section. Finally, this version addresses several issues with the -previous iteration of the standard version identification scheme. +Version 2.0 of the metadata format migrates from a custom key-value format +to a JSON-compatible in-memory representation. + +This version also adds fields designed to make third-party packaging of +Python software easier, defines a formal extension mechanism, and adds +support for optional dependencies. Finally, this version addresses +several issues with the previous iteration of the standard version +identification scheme. .. note:: - Portions of this PEP are in the process of being broken out into a - separate PEP (PEP 440). Old versions of much of that material currently - still exists in this PEP - the duplication will be eliminated in the - next major update. + "I" in this doc refers to Nick Coghlan. Daniel and Donald either wrote or + contributed to earlier versions, and have been providing feedback as this + initial draft of the JSON-based rewrite has taken shape. + + Metadata 2.0 represents a major upgrade to the Python packaging ecosystem, + and attempts to incorporate experience gained over the 15 years(!) since + distutils was first added to the standard library. Some of that is just + incorporating existing practices from setuptools/pip/etc, some of it is + copying from other distribution systems (like Linux distros or other + development language communities) and some of it is attempting to solve + problems which haven't yet been well solved by anyone (like supporting + clean conversion of Python source packages to distro policy compliant + source packages for at least Debian and Fedora, and perhaps other + platform specific distribution systems). + + There will eventually be a suite of PEPs covering various aspects of + the metadata 2.0 format and related systems: + + * this PEP, covering the core metadata format + * PEP 440, covering the versioning identification and selection scheme + * a new PEP to define v2.0 of the sdist format + * an updated wheel PEP (v1.1) to add pymeta.json + * an updated installation database PEP both for pymeta.json and to add + a linking scheme to better support runtime selection of dependencies, + as well as recording which extras are currently available + * a new static config PEP to standardise metadata generation and + creation of sdists + * PEP 439, covering a bootstrapping mechanism for ``pip`` + * a distutils upgrade PEP, adding metadata v2.0 and wheel support. + + It's going to take a while to work through all of these and make them + a reality. The main change from our last attempt at this is that we're + trying to design the different pieces so we can implement them + independently of each other, without requiring users to switch to + a whole new tool chain (although they may have to upgrade their existing + ones to start enjoying the benefits in their own work). + + Many of the inline notes in this version of the PEP are there to aid + reviewers that are familiar with the old metadata standards. Before this + version is finalised, most of that content will be moved down to the + "rationale" section at the end of the document, as it would otherwise be + an irrelevant distraction for future readers. + + +Definitions +=========== + +The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", +"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this +document are to be interpreted as described in RFC 2119. + +"Distributions" are deployable software components published through an index +server or otherwise made available for installation. + +"Versions" are uniquely identified snapshots of a distribution. + +"Distribution archives" are the packaged files which are used to publish +and distribute the software. + +"Source archives" require build tools to be available on the target +system. + +"Binary archives" only require that prebuilt files be moved to the correct +location on the target system. As Python is a dynamically bound +cross-platform language, many "binary" archives will contain only pure +Python source code. + +"Build tools" are automated tools intended to run on development systems, +producing source and binary distribution archives. Build tools may also be +invoked by installation tools in order to install software distributed as +source archives rather than prebuilt binary archives. + +"Index servers" are active distribution registries which publish version and +dependency metadata and place constraints on the permitted metadata. + +"Publication tools" are automated tools intended to run on development +systems and upload source and binary distribution archives to index servers. + +"Installation tools" are automated tools intended to run on production +systems, consuming source and binary distribution archives from an index +server or other designated location and deploying them to the target system. + +"Automated tools" is a collective term covering build tools, index servers, +publication tools, installation tools and any other software that produces +or consumes distribution version and dependency metadata. + +"Projects" refers to the developers that manage the creation of a particular +distribution. + +"Legacy metadata" refers to earlier versions of this metadata specification, +along with the supporting metadata file formats defined by the +``setuptools`` project. + + +Development and distribution activities +======================================= + +Making effective use of a common metadata format requires a common +understanding of the most complex development and distribution model +the format is intended to support. The metadata format described in this +PEP is based on the following activities: + +* Development: during development, a user is operating from a + source checkout (or equivalent) for the current project. Dependencies must + be available in order to build, test and create a source archive of the + distribution. + + .. note:: + As a generated file, the full distribution metadata often won't be + available in a raw source checkout or tarball. In such cases, the + relevant distribution metadata is generally obtained from another + location, such as the last published release, or by generating it + based on a command given in a standard input file. This spec + deliberately avoids handling that scenario, instead falling back on + the existing ``setup.py`` functionality. + +* Build: the build step is the process of turning a source archive into a + binary archive. Dependencies must be available in order to build and + create a binary archive of the distribution (including any documentation + that is installed on target systems). + +* Deployment: the deployment phase consists of two subphases: + + * Installation: the installation phase involves getting the distribution + and all of its runtime dependencies onto the target system. In this + phase, the distribution may already be on the system (when upgrading or + reinstalling) or else it may be a completely new installation. + + * Usage: the usage phase, also referred to as "runtime", is normal usage + of the distribution after it has been installed on the target system. + +The metadata format described in this PEP is designed to enable the +following: + +* It should be practical to have separate development systems, build systems + and deployment systems. +* It should be practical to install dependencies needed specifically to + build source archives only on development systems. +* It should be practical to install dependencies needed specifically to + build the software only on development and build systems, as well as + optionally on deployment systems if installation from source archives + is needed. +* It should be practical to install dependencies needed to run the + distribution only on development and deployment systems. +* It should be practical to install the dependencies needed to run a + distribution's test suite only on development systems, as well as + optionally on deployment systems. +* It should be practical for repackagers to separate out the build + dependencies needed to build the application itself from those required + to build its documentation (as the documentation often doesn't need to + be rebuilt when porting an application to a different platform). + +.. note:: + + This "most complex supported scenario" is almost *exactly* what has to + happen to get an upstream Python package into a Linux distribution, and + is why the current crop of automatic Python metadata -> Linux distro + metadata converters have some serious issues, at least from the point of + view of complying with distro packaging policies: the information + they need to comply with those policies isn't available from the + upstream projects, and all current formats for publishing it are + distro specific. This means either upstreams have to maintain metadata + for multiple distributions (which rarely happens) or else repackagers + have to do a lot of work manually in order to separate out these + dependencies in a way that complies with those policies. + + One thing this PEP aims to do is define a metadata format that at least + has the *potential* to provide the info repackagers need, thus allowing + upstream Python projects and Linux distro repackagers to collaborate more + effectively (and, ideally, make it possible to reliably automate + the process of converting upstream Python distributions into policy + compliant distro packages). + + Some items in this section (and the contents of this note) will likely + end up moving down to the "Rationale for changes from PEP 345" section. + + +Metadata format +=============== + +The format defined in this PEP is an in-memory representation of Python +distribution metadata as a string-keyed dictionary. Permitted values for +individual entries are strings, lists of strings, and additional +nested string-keyed dictionaries. + +Except where otherwise noted, dictionary keys in distribution metadata MUST +be valid Python identifiers in order to support attribute based metadata +access APIs. + +The individual field descriptions show examples of the key name and value +as they would be serialised as part of a JSON mapping. + +The fields identified as core metadata are required. Automated tools MUST +NOT accept distributions with missing core metadata as valid Python +distributions. + +All other fields are optional. Automated tools MUST operate correctly +if a distribution does not provide them, except for those operations +which specifically require the omitted fields. + +Automated tools MUST NOT insert dummy data for missing fields. If a valid +value is not provided for a required field then the metadata and the +associated distribution MUST be rejected as invalid. If a valid value +is not provided for an optional field, that field MUST be omitted entirely. +Automated tools MAY automatically derive valid values from other +information sources (such as a version control system). Metadata files -============== +-------------- -The syntax defined in this PEP is for use with Python distribution -metadata files. The file format is a simple UTF-8 encoded Key: value -format with case-insensitive keys and no maximum line length, optionally -followed by a blank line and a payload containing a description of the -distribution. - -This format is parseable by the ``email`` module with an appropriate -``email.policy.Policy()`` (see `Appendix A`_). When ``metadata`` is a -Unicode string, ```email.parser.Parser().parsestr(metadata)`` is a -serviceable parser. +The information defined in this PEP is serialised to ``pymeta.json`` +files for some use cases. As indicated by the extension, these +are JSON-encoded files. Each file consists of a single serialised mapping, +with fields as described in this PEP. There are three standard locations for these metadata files: -* the ``PKG-INFO`` file included in the base directory of Python - source distribution archives (as created by the distutils ``sdist`` - command) -* the ``{distribution}-{version}.dist-info/METADATA`` file in a ``wheel`` - binary distribution archive (as described in PEP 425, or a later version - of that specification) -* the ``{distribution}-{version}.dist-info/METADATA`` files in a local - Python installation database (as described in PEP 376, or a later version - of that specification) +* as a ``{distribution}-{version}.dist-info/pymeta.json`` file in an + ``sdist`` source distribution archive +* as a ``{distribution}-{version}.dist-info/pymeta.json`` file in a ``wheel`` + binary distribution archive +* as a ``{distribution}-{version}.dist-info/pymeta.json`` file in a local + Python installation database + +.. note:: + + These locations are to be confirmed, since they depend on the definition + of sdist 2.0 and the revised installation database standard. There will + also be a wheel 1.1 format update after this PEP is approved that + mandates 2.0+ metadata. Other tools involved in Python distribution may also use this format. +It is expected that these metadata files will be generated by build tools +based on other input formats (such as ``setup.py``) rather than being +edited by hand. -Encoding -======== +.. note:: -Metadata 2.0 files are UTF-8 with the restriction that keys must be -ASCII. Parser implementations should be aware that older versions of -the Metadata specification do not specify an encoding. + It may be appropriate to add a "./setup.py dist_info" command to + setuptools to allow just the sdist metadata files to be generated + without having to build the full sdist archive. This would be + similar to the existing "./setup.py egg_info" command in setuptools, + which would continue to emit the legacy metadata format. + +For backwards compatibility with older installation tools, metadata 2.0 +files MAY be distributed alongside legacy metadata. + +Index servers MAY allow distributions to be uploaded and installation tools +MAY allow distributions to be installed with only legacy metadata. -Metadata header fields -======================= +Essential dependency resolution metadata +---------------------------------------- -This section specifies the names and semantics of each of the -supported fields in the metadata header. +For dependency resolution purposes, it is useful to have a minimal subset +of the metadata that contains only those fields needed to identify +distributions and resolve dependencies between them. -In a single Metadata 2.0 file, fields marked with "(optional)" may occur -0 or 1 times. Fields marked with "(multiple use)" may be specified -0, 1 or more times. Only "Metadata-Version", "Name", "Version", and -"Summary" must appear exactly once. +The essential dependency resolution metadata consists of the following +fields: -The fields may appear in any order within the header section of the file. +* ``metadata_version`` +* ``name`` +* ``version`` +* ``build_label`` +* ``version_url`` +* ``extras`` +* ``requires`` +* ``may-require`` +* ``build-requires`` +* ``build-may-require`` +* ``dev-requires`` +* ``dev-may-require`` +* ``provides`` +* ``obsoleted_by`` +* ``supports_environments`` + +When serialised to a file, the name used for this metadata set SHOULD +be ``pymeta-minimal.json``. + +Abbreviated metadata +-------------------- + +Some metadata fields have the potential to contain a lot of information +that will rarely be referenced, greatly increasing storage requirements +without providing significant benefits. + +The abbreviated metadata for a distribution consists of all fields +*except* the following: + +* ``description`` +* ``contributors`` + +When serialised to a file, the name used for this metadata set SHOULD +be ``pymeta-short.json``. -Metadata-Version +Core metadata +============= + +This section specifies the core metadata fields that are required for every +Python distribution. + +Publication tools MUST ensure at least these fields are present when +publishing a distribution. + +Index servers MUST ensure at least these fields are present in the metadata +when distributions are uploaded. + +Installation tools MUST refuse to install distributions with one or more +of these fields missing by default, but MAY allow users to force such an +installation to occur. + + +Metadata version ---------------- -Version of the file format; "2.0" is the only legal value. +Version of the file format; ``"2.0"`` is the only legal value. -Automated tools consuming metadata should warn if ``Metadata-Version`` is -greater than the highest version they support, and must fail if -``Metadata-Version`` has a greater major version than the highest -version they support. +Automated tools consuming metadata SHOULD warn if ``metadata_version`` is +greater than the highest version they support, and MUST fail if +``metadata_version`` has a greater major version than the highest +version they support (as described in PEP 440, the major version is the +value before the first dot). -For broader compatibility, automated tools may choose to produce +For broader compatibility, build tools MAY choose to produce distribution metadata using the lowest metadata version that includes all of the needed fields. Example:: - Metadata-Version: 2.0 + "metadata_version": "2.0" Name @@ -118,1057 +381,1100 @@ Name The name of the distribution. +As distribution names are used as part of URLs, filenames, command line +parameters and must also interoperate with other packaging systems, the +permitted characters are constrained to: + +* ASCII letters (``[a-zA-Z]``) +* ASCII digits (``[0-9]``) +* underscores (``_``) +* hyphens (``-``) +* periods (``.``) + +Distributions named MUST start and end with an ASCII letter or digit. + +Automated tools MUST reject non-compliant names. + +All comparisons of distribution names MUST be case insensitive, and MUST +consider hyphens and underscores to be equivalent. + +Index servers MAY consider "confusable" characters (as defined by the +Unicode Consortium in `TR39: Unicode Security Mechanisms `__) to be +equivalent. + +Index servers that permit arbitrary distribution name registrations from +untrusted sources SHOULD consider confusable characters to be equivalent +when registering new distributions (and hence reject them as duplicates). + +Installation tools MUST NOT silently accept a confusable alternate +spelling as matching a requested distribution name. + +At time of writing, the characters in the ASCII subset designated as +confusables by the Unicode Consortium are: + +* ``1`` (DIGIT ONE), ``l`` (LATIN SMALL LETTER L), and ``I`` (LATIN CAPITAL + LETTER I) +* ``0`` (DIGIT ZERO), and ``O`` (LATIN CAPITAL LETTER O) + + Example:: - Name: BeagleVote + "name": "ComfyChair" + +.. note:: + + Debian doesn't actually permit underscores in names, but that seems + unduly restrictive for this spec given the common practice of using + valid Python identifiers as Python distribution names. A Debian side + policy of converting underscores to hyphens seems easy enough to + implement (and the requirement to consider hyphens and underscores as + equivalent ensures that doing so won't introduce any conflicts). + + We're deliberately *not* following Python 3 down the path of arbitrary + unicode identifiers at this time. The security implications of doing so + are substantially worse in the software distribution use case (it opens + up far more interesting attack vectors than mere code obfuscation), the + existing tooling really only works properly if you abide by the stated + restrictions and changing it would require a *lot* of work for all + the automated tools in the chain. + + PyPI has recently been updated to reject non-compliant names for newly + registered projects, but existing non-compliant names are still + tolerated when using legacy metadata formats. Affected distributions + will need to change their names (typically be replacing spaces with + hyphens) before they can migrate to the new metadata formats. + + Donald Stufft ran an analysis, and the new restrictions impact less + than 230 projects out of the ~31k already on PyPI. This isn't that + surprising given the fact that many existing tools could already + exhibit odd behaviour when attempting to deal with non-compliant + names, implicitly discouraging the use of more exotic names. + + Of those projects, ~200 have the only non-compliant character as an + internal space (e.g. "Twisted Web"). These will be automatically + migrated by replacing the spaces with hyphens (e.g. "Twisted-Web"), + which is what you have to actually type to install these distributions + with ``setuptools`` (which powers both ``easy_install`` and ``pip``). + + The remaining ~30 will be investigated manually and decided upon on a + case by case basis how to migrate them to the new naming rules (in + consultation with the maintainers of those projects where possible). Version ------- -The distribution's public version identifier. Public versions are designed -for consumption by automated tools and are strictly ordered according -to a defined scheme. See `Version scheme`_ below. +The distribution's public version identifier, as defined in PEP 440. Public +versions are designed for consumption by automated tools and support a +variety of flexible version specification mechanisms (see PEP 440 for +details). Example:: - Version: 1.0a2 + "version": "1.0a2" +Additional identifying metadata +=============================== + +This section specifies fields that provide other identifying details +that are unique to this distribution. + +All of these fields are optional. Automated tools MUST operate correctly if +a distribution does not provide them, including failing cleanly when an +operation depending on one of these fields is requested. + + +Build label +----------- + +A constrained identifying text string, as defined in PEP 440. Build labels +cannot be used in ordered version comparisons, but may be used to select +an exact version (see PEP 440 for details). + + +Examples:: + + "build_label": "1.0.0-alpha.1" + + "build_label": "1.3.7+build.11.e0f985a" + + "build_label": "v1.8.1.301.ga0df26f" + + "build_label": "2013.02.17.dev123" + + +Version URL +----------- + +A string containing a full URL where this specific version of the +distribution can be downloaded. (This means that the URL can't be +something like ``"https://github.com/pypa/pip/archive/master.zip"``, but +instead must be ``"https://github.com/pypa/pip/archive/1.3.1.zip"``.) + +Some appropriate targets for a version URL are a source tarball, an sdist +archive or a direct reference to a tag or specific commit in an online +version control system. + +All version URL references SHOULD either specify a secure transport +mechanism (such as ``https``) or else include an expected hash value in the +URL for verification purposes. If an insecure transport is specified without +any hash information (or with hash information that the tool doesn't +understand), automated tools SHOULD at least emit a warning and MAY +refuse to rely on the URL. + +It is RECOMMENDED that only hashes which are unconditionally provided by +the latest version of the standard library's ``hashlib`` module be used +for source archive hashes. At time of writing, that list consists of +``'md5'``, ``'sha1'``, ``'sha224'``, ``'sha256'``, ``'sha384'``, and +``'sha512'``. + +For source archive references, an expected hash value may be specified by +including a ``=`` as part of the URL +fragment. + +For version control references, the ``VCS+protocol`` scheme SHOULD be +used to identify both the version control system and the secure transport. + +To support version control systems that do not support including commit or +tag references directly in the URL, that information may be appended to the +end of the URL using the ``@`` notation. + +Example:: + + "version_url": "https://github.com/pypa/pip/archive/1.3.1.zip" + "version_url": "http://github.com/pypa/pip/archive/1.3.1.zip#sha1=da9234ee9982d4bbb3c72346a6de940a148ea686" + "version_url": "git+https://github.com/pypa/pip.git@1.3.1" + +.. note:: + + This was called "Download-URL" in previous versions of the metadata. It + has been renamed, since there are plenty of other download locations and + this URL is meant to be a way to get the original source for development + purposes (or to generate an SRPM or other platform specific equivalent). + + For extra fun and games, it appears that unlike "svn+ssh://", + neither "git+ssh://" nor "hg+ssh://" natively support direct linking to a + particular tag (hg does support direct links to bookmarks through the URL + fragment, but that doesn't help for git and doesn't appear to be what I + want anyway). + + However pip does have a `defined convention + `__ for + this kind of link, which effectively splits a "URL" into "@". + + The PEP simply adopts pip's existing solution to this problem. + + This field is separate from the project URLs, as it's expected to + change for each version, while the project URLs are expected to + be fairly stable. + + +Additional descriptive metadata +=============================== + +This section specifies fields that provide additional information regarding +the distribution and its contents. + +All of these fields are optional. Automated tools MUST operate correctly if +a distribution does not provide them, including failing cleanly when an +operation depending on one of these fields is requested. + Summary ------- A one-line summary of what the distribution does. -Example:: - - Summary: A module for collecting votes from beagles. - - -Private-Version (optional) --------------------------- - -An arbitrary private version label. Private version labels are intended -for internal use by a project, and cannot be used in version specifiers. -See `Compatibility with other version schemes`_ below. - -Examples:: - - Private-Version: 1.0.0-alpha.1 - Private-Version: 1.3.7+build.11.e0f985a - Private-Version: v1.8.1.301.ga0df26f - Private-Version: 2013.02.17.dev123 - - -Description (optional, deprecated) ----------------------------------- - -Starting with Metadata 2.0, the recommended place for the description is in -the payload section of the document, after the last header. The description -does not need to be reformatted when it is included in the payload. - -See `Describing the Distribution`_ for more information on the expected -contents of this field. - -Since a line separator immediately followed by another line separator -indicates the end of the headers section, any line separators in a -``Description`` header field must be suffixed by whitespace to -indicate continuation. - -It is an error to provide both a ``Description`` header and a metadata -payload. - - -Keywords (optional) -------------------- - -A list of additional whitespace separated keywords to be used to assist -searching for the distribution in a larger catalog. +Publication tools SHOULD emit a warning if this field is not provided. Index +servers MAY require that this field be present before allowing a +distribution to be uploaded. Example:: - Keywords: dog puppy voting election + "summary": "A module that is more fiendish than soft cushions." +.. note:: -Home-page (optional) --------------------- + This used to be mandatory, and it's still highly recommended, but really, + nothing should break even when it's missing. -A string containing the URL for the distribution's home page. -Example:: - - Home-page: http://www.example.com/~cschultz/bvote/ - - -Download-URL (optional) ------------------------ - -A string containing the URL from which this version of the distribution -can be downloaded. (This means that the URL can't be something like -".../BeagleVote-latest.tgz", but instead must be ".../BeagleVote-0.45.tgz".) - - -Project-URL (multiple use) --------------------------- - -A string containing a label and a browsable URL for the project, separated -by the last occurrence of comma and space ", ". - -The label consists of any permitted header text, including commas. - -Example:: - - Bug, Issue Tracker, http://bitbucket.org/tarek/distribute/issues/ - - -Author (optional) ------------------ - -A string containing the author's name at a minimum; additional -contact information may be provided. - -Example:: - - Author: C. Schultz, Universal Features Syndicate, - Los Angeles, CA - - -Author-email (optional) ------------------------ - -A string containing the author's e-mail address. It contains a name -and e-mail address in the RFC 5322 recommended ``Address Specification`` -format. - -Example:: - - Author-email: "C. Schultz" - - -Maintainer (optional) ---------------------- - -A string containing the maintainer's name at a minimum; additional -contact information may be provided. - -Note that this field is intended for use when a project is being -maintained by someone other than the original author: it should be -omitted if it is identical to ``Author``. - -Example:: - - Maintainer: C. Schultz, Universal Features Syndicate, - Los Angeles, CA - - -Maintainer-email (optional) ---------------------------- - -A string containing the maintainer's e-mail address. It has the same -format as ``Author-email``. - -Note that this field is intended for use when a project is being -maintained by someone other than the original author: it should be -omitted if it is identical to ``Author-email``. - -Example:: - - Maintainer-email: "C. Schultz" - - -License (optional) ------------------- - -Text indicating the license covering the distribution where the license -is not a selection from the "License" Trove classifiers. See -"Classifier" below. This field may also be used to specify a -particular version of a license which is named via the ``Classifier`` -field, or to indicate a variation or exception to such a license. - -Examples:: - - License: This software may only be obtained by sending the - author a postcard, and then the user promises not - to redistribute it. - - License: GPL version 3, excluding DRM provisions - -The full text of the license would normally be included in a separate -file. - - -Classifier (multiple use) -------------------------- - -Each entry is a string giving a single classification value -for the distribution. Classifiers are described in PEP 301 [2]. - -`Environment markers`_ may be used with this field. - -Examples:: - - Classifier: Development Status :: 4 - Beta - Classifier: Environment :: Console (Text Based) - - -Provides-Dist (multiple use) ----------------------------- - -Each entry contains a string naming a requirement that is satisfied by -installing this distribution. These strings must be of the form -``Name`` or ``Name (Version)``, following the formats of the corresponding -field definitions. - -A distribution may provide additional names, e.g. to indicate that -multiple projects have been merged into and replaced by a single -distribution or to indicate that this project is a substitute for another. -For instance, distribute (a fork of setuptools) can include a -``Provides-Dist: setuptools`` entry to prevent the conflicting -package from being downloaded and installed when distribute is already -installed. A distribution that has been merged with another might -``Provides-Dist`` the obsolete name(s) to satisfy any projects that -require the obsolete distribution's name. - -A distribution may also provide a "virtual" project name, which does -not correspond to any separately-distributed project: such a name -might be used to indicate an abstract capability which could be supplied -by one of multiple projects. E.g., multiple projects might supply -RDBMS bindings for use by a given ORM: each project might declare -that it provides ``ExampleORM-somedb-bindings``, allowing other -projects to depend only on having at least one of them installed. - -A version declaration may be supplied and must follow the rules described -in `Version scheme`_. The distribution's version identifier will be implied -if none is specified. - -`Environment markers`_ may be used with this field. - -Examples:: - - Provides-Dist: AnotherProject (3.4) - Provides-Dist: virtual_package - - -Provides-Extra (multiple use) ------------------------------ - -A string containing the name of an optional feature or "extra" that may -only be available when additional dependencies have been installed. Must -be printable ASCII, not containing whitespace, comma (,), or square -brackets []. - -See `Optional Features`_ for details on the use of this field. - -Example:: - - Name: beaglevote - Provides-Extra: pdf - Requires-Dist: reportlab; extra == 'pdf' - Requires-Dist: nose; extra == 'test' - Requires-Dist: sphinx; extra == 'doc' - - -Obsoleted-By (optional) ------------------------ - -Indicates that this project is no longer being developed. The named -project provides a substitute or replacement. - -A version declaration may be supplied and must follow the rules described -in `Version specifiers`_. - -Possible uses for this field include handling project name changes and -project mergers. - -Examples:: - - Name: BadName - Obsoleted-By: AcceptableName - - Name: SeparateProject - Obsoleted-By: MergedProject (>=4.0.0) - - -Requires-Dist (multiple use) ----------------------------- - -Each entry contains a string naming some other distutils -project required by this distribution. - -The format of a requirement string is identical to that of a distribution -name (e.g., as found in the ``Name:`` field) optionally followed by a -version declaration within parentheses. - -The distribution names should correspond to names as found on the `Python -Package Index`_; often the same as, but distinct from, the module names -as accessed with ``import x``. - -`Environment markers`_ may be used with this field. - -Version declarations must follow the rules described in -`Version specifiers`_ - -Distributions may also depend on optional features of other distributions. -See `Optional Features`_ for details. - -Examples:: - - Requires-Dist: pkginfo - Requires-Dist: PasteDeploy - Requires-Dist: zope.interface (>3.5.0) - -Dependencies mentioned in ``Requires-Dist`` may be installed exclusively -at run time and are not guaranteed to be available when creating or -installing a package. If a dependency is needed during distribution -creation or installation *and* at run time, it should be listed under -both ``Requires-Dist`` and ``Setup-Requires-Dist``. - - -Setup-Requires-Dist (multiple use) ----------------------------------- - -Like ``Requires-Dist``, but names dependencies needed in order to build, -package or install the distribution -- in distutils, a dependency imported -by ``setup.py`` itself. Commonly used to bring in extra compiler support -or a package needed to generate a manifest from version control. - -Examples:: - - Setup-Requires-Dist: custom_setup_command - -Dependencies mentioned in ``Setup-Requires-Dist`` may be installed -exclusively for setup and are not guaranteed to be available at run time. -If a dependency is needed during distribution creation or installation -*and* at run time, it should be listed under both ``Requires-Dist`` and -``Setup-Requires-Dist``. - - -Requires-Python (multiple use) ------------------------------- - -This field specifies the Python version(s) that the distribution is -guaranteed to be compatible with. - -`Environment markers`_ may be used with this field. - -Version declarations must be in the format specified in -`Version specifiers`_. - -Examples:: - - Requires-Python: 3.2 - Requires-Python: >3.1 - Requires-Python: >=2.3.4 - Requires-Python: >=2.5,<2.7 - -If specified multiple times, the Python version must satisfy all such -constraints to be considered compatible. This is most useful in combination -with appropriate `Environment markers`_. - -For example, if a feature was initially introduced to Python as a -Unix-specific addition, and then Windows support was added in the -subsequent release, this could be indicated with the following pair -of entries:: - - Requires-Python: >= 3.1 - Requires-Python: >= 3.2; sys.platform == 'win32' - - -Requires-External (multiple use) --------------------------------- - -Each entry contains a string describing some dependency in the -system that the distribution is to be used. This field is intended to -serve as a hint to downstream project maintainers, and has no -semantics which are meaningful to the ``distutils`` distribution. - -The format of a requirement string is a name of an external -dependency, optionally followed by a version declaration within -parentheses. - -`Environment markers`_ may be used with this field. - -Because they refer to non-Python software releases, version identifiers -for this field are **not** required to conform to the format -described in `Version scheme`_: they should correspond to the -version scheme used by the external dependency. - -Notice that there is no particular rule on the strings to be used. - -Examples:: - - Requires-External: C - Requires-External: libpng (>=1.5) - - -Platform (multiple use) ------------------------ - -A Platform specification describing an operating system supported by -the distribution which is not listed in the "Operating System" Trove -classifiers. See `Classifier`__ above. - -__ `Classifier (multiple use)`_ - -Examples:: - - Platform: ObscureUnix - Platform: RareDOS - - -Supported-Platform (multiple use) ---------------------------------- - -Binary distributions containing a metadata file will use the -Supported-Platform field in their metadata to specify the OS and -CPU for which the binary distribution was compiled. The semantics of -the Supported-Platform field are not specified in this PEP. - -Example:: - - Supported-Platform: RedHat 7.2 - Supported-Platform: i386-win32-2791 - - -Extension (multiple use) ------------------------- - -An ASCII string, not containing whitespace or the ``/`` character, that -indicates the presence of extended metadata. The additional fields -defined by the extension are then prefixed with the name of the extension -and the ``/`` character. The additional fields are optional (0..1). - -For example:: - - Extension: Chili - Chili/Type: Poblano - Chili/Heat: Mild - Chili/json: { - "type" : "Poblano", - "heat" : "Mild" } - -The special ``{extension name}/json`` permits embedded JSON. It may be -parsed automatically by a future tool. - -Values in extension fields must still respect the general formatting -requirements for metadata headers. - -To avoid name conflicts, it is recommended that distribution names be used -to identify metadata extensions. This practice will also make it easier to -find authoritative documentation for metadata extensions. - -As the order of the metadata headers is not constrained, the -``Extension: Chili`` field may appear before or after the corresponding -extension fields ``Chili/Type:`` etc. - -A bare ``Extension: Name`` entry with no corresponding extension fields is -permitted. It may, for example, indicate the expected presence of an -additional metadata file rather than the presence of extension fields. - -An extension field with no corresponding ``Extension: Name`` entry is an -error. - - -Describing the distribution -=========================== +Description +----------- The distribution metadata should include a longer description of the distribution that may run to several paragraphs. Software that deals with metadata should not assume any maximum size for the description. -The recommended location for the description is in the metadata payload, -separated from the header fields by at least one completely blank line -(that is, two successive line separators with no other characters -between them, not even whitespace). - -Alternatively, the description may be provided in the `Description`__ -metadata header field. Providing both a ``Description`` field and a -payload is an error. - -__ `Description (optional, deprecated)`_ - The distribution description can be written using reStructuredText markup [1]_. For programs that work with the metadata, supporting markup is optional; programs may also display the contents of the field as plain text without any special formatting. This means that authors should be conservative in the markup they use. +Example:: -Version scheme -============== - -Public version identifiers must comply with the following scheme:: - - N[.N]+[{a|b|c|rc}N][.postN][.devN] - -Version identifiers which do not comply with this scheme are an error. - -Version identifiers must not include leading or trailing whitespace. - -Any given version will be a "release", "pre-release", "post-release" or -"developmental release" as defined in the following sections. + "description": "The ComfyChair module replaces SoftCushions.\\n\\nUse until lunchtime, but pause for a cup of coffee at eleven." .. note:: - Some hard to read version identifiers are permitted by this scheme in - order to better accommodate the wide range of versioning practices - across existing public and private Python projects, given the - constraint that the package index is not yet sophisticated enough to - allow the introduction of a simpler, backwards-incompatible scheme. + The difficulty of editing this field in a raw JSON file is one of the + main reasons this metadata interchange format is NOT recommended for + use as an input format for build tools. - Accordingly, some of the versioning practices which are technically - permitted by the PEP are strongly discouraged for new projects. Where - this is the case, the relevant details are noted in the following - sections. - -Releases --------- - -A release number is a version identifier that consists solely of one or -more non-negative integer values, separated by dots:: - - N[.N]+ - -Releases within a project must be numbered in a consistently increasing -fashion. Ordering considers the numeric value of each component -in turn, with "component does not exist" sorted ahead of all numeric -values. - -Date based release numbers are explicitly excluded from compatibility with -this scheme, as they hinder automatic translation to other versioning -schemes, as well as preventing the adoption of semantic versioning without -changing the name of the project. Accordingly, a leading release component -greater than or equal to ``1980`` is an error. - -While any number of additional components after the first are permitted -under this scheme, the most common variants are to use two components -("major.minor") or three components ("major.minor.micro"). - -For example:: - - 0.9 - 0.9.1 - 0.9.2 - ... - 0.9.10 - 0.9.11 - 1.0 - 1.0.1 - 1.1 - 2.0 - 2.0.1 - -A release series is any set of release numbers that start with a common -prefix. For example, ``3.3.1``, ``3.3.5`` and ``3.3.9.45`` are all -part of the ``3.3`` release series. - -.. note:: - - Using both ``X.Y`` and ``X.Y.0`` as distinct release numbers within the - scope of a single release series is strongly discouraged, as it makes the - version ordering ambiguous for human readers. Automated tools should - either treat this case as an error, or else interpret an ``X.Y.0`` - release as coming *after* the corresponding ``X.Y`` release. - - The recommended practice is to always use release numbers of a consistent - length (that is, always include the trailing ``.0``). An acceptable - alternative is to consistently omit the trailing ``.0``. The example - above shows both styles, always including the ``.0`` at the second - level and consistently omitting it at the third level. - - -Pre-releases ------------- - -Some projects use an "alpha, beta, release candidate" pre-release cycle to -support testing by their users prior to a full release. - -If used as part of a project's development cycle, these pre-releases are -indicated by a suffix appended directly to the last component of the -release number:: - - X.YaN # Alpha release - X.YbN # Beta release - X.YcN # Release candidate (alternative notation: X.YrcN) - X.Y # Full release - -The pre-release suffix consists of an alphabetical identifier for the -pre-release phase, along with a non-negative integer value. Pre-releases for -a given release are ordered first by phase (alpha, beta, release candidate) -and then by the numerical component within that phase. - -.. note:: - - Using both ``c`` and ``rc`` to identify release candidates within - the scope of a single release is strongly discouraged, as it makes the - version ordering ambiguous for human readers. Automated tools should - either treat this case as an error, or else interpret all ``rc`` versions - as coming after all ``c`` versions (that is, ``rc1`` indicates a later - version than ``c2``). - - -Post-releases -------------- - -Some projects use post-releases to address minor errors in a release that -do not affect the distributed software (for example, correcting an error -in the release notes). - -If used as part of a project's development cycle, these post-releases are -indicated by a suffix appended directly to the last component of the -release number:: - - X.Y.postN # Post-release - -The post-release suffix consists of the string ``.post``, followed by a -non-negative integer value. Post-releases are ordered by their -numerical component, immediately following the corresponding release, -and ahead of any subsequent release. - -.. note:: - - The use of post-releases to publish maintenance releases containing - actual bug fixes is strongly discouraged. In general, it is better - to use a longer release number and increment the final component - for each maintenance release. - -Post-releases are also permitted for pre-releases:: - - X.YaN.postM # Post-release of an alpha release - X.YbN.postM # Post-release of a beta release - X.YcN.postM # Post-release of a release candidate - -.. note:: - - Creating post-releases of pre-releases is strongly discouraged, as - it makes the version identifier difficult to parse for human readers. - In general, it is substantially clearer to simply create a new - pre-release by incrementing the numeric component. - - -Developmental releases ----------------------- - -Some projects make regular developmental releases, and system packagers -(especially for Linux distributions) may wish to create early releases -which do not conflict with later project releases. - -If used as part of a project's development cycle, these developmental -releases are indicated by a suffix appended directly to the last -component of the release number:: - - X.Y.devN # Developmental release - -The developmental release suffix consists of the string ``.dev``, -followed by a non-negative integer value. Developmental releases are ordered -by their numerical component, immediately before the corresponding release -(and before any pre-releases), and following any previous release. - -Developmental releases are also permitted for pre-releases and -post-releases:: - - X.YaN.devM # Developmental release of an alpha release - X.YbN.devM # Developmental release of a beta release - X.YcN.devM # Developmental release of a release candidate - X.Y.postN.devM # Developmental release of a post-release - -.. note:: - - Creating developmental releases of pre-releases is strongly - discouraged, as it makes the version identifier difficult to parse for - human readers. In general, it is substantially clearer to simply create - additional pre-releases by incrementing the numeric component. - - Developmental releases of post-releases are also strongly discouraged, - but they may be appropriate for projects which use the post-release - notation for full maintenance releases which may include code changes. - - -Examples of compliant version schemes -------------------------------------- - -The standard version scheme is designed to encompass a wide range of -identification practices across public and private Python projects. In -practice, a single project attempting to use the full flexibility offered -by the scheme would create a situation where human users had difficulty -figuring out the relative order of versions, even though the rules above -ensure all compliant tools will order them consistently. - -The following examples illustrate a small selection of the different -approaches projects may choose to identify their releases, while still -ensuring that the "latest release" and the "latest stable release" can -be easily determined, both by human users and automated tools. - -Simple "major.minor" versioning:: - - 0.1 - 0.2 - 0.3 - 1.0 - 1.1 - ... - -Simple "major.minor.micro" versioning:: - - 1.1.0 - 1.1.1 - 1.1.2 - 1.2.0 - ... - -"major.minor" versioning with alpha, beta and release candidate -pre-releases:: - - 0.9 - 1.0a1 - 1.0a2 - 1.0b1 - 1.0c1 - 1.0 - 1.1a1 - ... - -"major.minor" versioning with developmental releases, release candidates -and post-releases for minor corrections:: - - 0.9 - 1.0.dev1 - 1.0.dev2 - 1.0.dev3 - 1.0.dev4 - 1.0rc1 - 1.0rc2 - 1.0 - 1.0.post1 - 1.1.dev1 - ... - - -Summary of permitted suffixes and relative ordering ---------------------------------------------------- - -.. note:: - - This section is intended primarily for authors of tools that - automatically process distribution metadata, rather than authors - of Python distributions deciding on a versioning scheme. - -The numeric release component of version identifiers should be sorted in -the same order as Python's tuple sorting when the release number is -parsed as follows:: - - tuple(map(int, release_number.split("."))) - -Within a numeric release (``1.0``, ``2.7.3``), the following suffixes -are permitted and are ordered as shown:: - - .devN, aN, bN, cN, rcN, , .postN - -Note that `rc` will always sort after `c` (regardless of the numeric -component) although they are semantically equivalent. Tools are free to -reject this case as ambiguous and remain in compliance with the PEP. - -Within an alpha (``1.0a1``), beta (``1.0b1``), or release candidate -(``1.0c1``, ``1.0rc1``), the following suffixes are permitted and are -ordered as shown:: - - .devN, , .postN - -Within a post-release (``1.0.post1``), the following suffixes are permitted -and are ordered as shown:: - - .devN, - -Note that ``devN`` and ``postN`` must always be preceded by a dot, even -when used immediately following a numeric version (e.g. ``1.0.dev456``, -``1.0.post1``). - -Within a given suffix, ordering is by the value of the numeric component. - -The following example covers many of the possible combinations:: - - 1.0.dev456 - 1.0a1 - 1.0a2.dev456 - 1.0a12.dev456 - 1.0a12 - 1.0b1.dev456 - 1.0b2 - 1.0b2.post345.dev456 - 1.0b2.post345 - 1.0c1.dev456 - 1.0c1 - 1.0 - 1.0.post456.dev34 - 1.0.post456 - 1.1.dev1 - - -Version ordering across different metadata versions ---------------------------------------------------- - -Metadata v1.0 (PEP 241) and metadata v1.1 (PEP 314) do not -specify a standard version identification or ordering scheme. This PEP does -not mandate any particular approach to handling such versions, but -acknowledges that the de facto standard for ordering them is -the scheme used by the ``pkg_resources`` component of ``setuptools``. - -Software that automatically processes distribution metadata should attempt -to normalize non-compliant version identifiers to the standard scheme, and -ignore them if normalization fails. As any normalization scheme will be -implementation specific, this means that projects using non-compliant -version identifiers may not be handled consistently across different -tools, even when correctly publishing the earlier metadata versions. - -For distributions currently using non-compliant version identifiers, these -filtering guidelines mean that it should be enough for the project to -simply switch to the use of compliant version identifiers to ensure -consistent handling by automated tools. - -Distribution users may wish to explicitly remove non-compliant versions from -any private package indexes they control. - -For metadata v1.2 (PEP 345), the version ordering described in this PEP -should be used in preference to the one defined in PEP 386. - - -Compatibility with other version schemes ----------------------------------------- - -Some projects may choose to use a version scheme which requires -translation in order to comply with the public version scheme defined in -this PEP. In such cases, the `Private-Version`__ field can be used to -record the project specific version as an arbitrary label, while the -translated public version is given in the `Version`_ field. - -__ `Private-Version (optional)`_ - -This allows automated distribution tools to provide consistently correct -ordering of published releases, while still allowing developers to use -the internal versioning scheme they prefer for their projects. - - -Semantic versioning -~~~~~~~~~~~~~~~~~~~ - -`Semantic versioning`_ is a popular version identification scheme that is -more prescriptive than this PEP regarding the significance of different -elements of a release number. Even if a project chooses not to abide by -the details of semantic versioning, the scheme is worth understanding as -it covers many of the issues that can arise when depending on other -distributions, and when publishing a distribution that others rely on. - -The "Major.Minor.Patch" (described in this PEP as "major.minor.micro") -aspects of semantic versioning (clauses 1-9 in the 2.0.0-rc-1 specification) -are fully compatible with the version scheme defined in this PEP, and abiding -by these aspects is encouraged. - -Semantic versions containing a hyphen (pre-releases - clause 10) or a -plus sign (builds - clause 11) are *not* compatible with this PEP -and are not permitted in the public `Version`_ field. - -One possible mechanism to translate such private semantic versions to -compatible public versions is to use the ``.devN`` suffix to specify the -appropriate version order. - -.. _Semantic versioning: http://semver.org/ - - -DVCS based version labels -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Many build tools integrate with distributed version control systems like -Git and Mercurial in order to add an identifying hash to the version -identifier. As hashes cannot be ordered reliably such versions are not -permitted in the public `Version`_ field. - -As with semantic versioning, the public ``.devN`` suffix may be used to -uniquely identify such releases for publication, while the private -version field is used to record the original version label. - - -Date based versions -~~~~~~~~~~~~~~~~~~~ - -As with other incompatible version schemes, date based versions can be -stored in the ``Private-Version`` field. Translating them to a compliant -public version is straightforward: the simplest approach is to subtract -the year before the first release from the major component in the release -number. - - -Version specifiers -================== - -A version specifier consists of a series of version clauses, separated by -commas. Each version clause consists of an optional comparison operator -followed by a version identifier. For example:: - - 0.9, >= 1.0, != 1.3.4, < 2.0 - -Each version identifier must be in the standard format described in -`Version scheme`_. - -The comma (",") is equivalent to a logical **and** operator. - -Whitespace between a conditional operator and the following version -identifier is optional, as is the whitespace around the commas. - - -Compatible release +Description Format ------------------ -A compatible release clause omits the comparison operator and matches any -version that is expected to be compatible with the specified version. +A field indicating the intended format of the text in the description field. +This allows index servers to render the description field correctly and +provide feedback on rendering errors, rather than having to guess the +intended format. -For a given release identifier ``V.N``, the compatible release clause is -approximately equivalent to the pair of comparison clauses:: +If this field is omitted, or contains an unrecognised value, the default +rendering format MUST be plain text. - >= V.N, < V+1.dev0 +The following format names SHOULD be used for the specified markup formats: -where ``V+1`` is the next version after ``V``, as determined by -incrementing the last numeric component in ``V``. For example, -the following version clauses are approximately equivalent:: +* ``txt``: Plain text (default handling if field is omitted) +* ``rst``: reStructured Text +* ``md``: Markdown (exact syntax variant will be implementation dependent) +* ``adoc``: AsciiDoc +* ``html``: HTML - 2.2 - >= 2.2, < 3.dev0 +Automated tools MAY render one or more of the listed formats as plain +text and MAY accept other markup formats beyond those listed. - 1.4.5 - >= 1.4.5, < 1.5.dev0 +Example:: -The difference between the two is that using a compatible release clause -does *not* count as `explicitly mentioning a pre-release`__. - -__ `Handling of pre-releases`_ - -If a pre-release, post-release or developmental release is named in a -compatible release clause as ``V.N.suffix``, then the suffix is ignored -when determining the upper limit of compatibility:: - - 2.2.post3 - >= 2.2.post3, < 3.dev0 - - 1.4.5a4 - >= 1.4.5a4, < 1.5.dev0 + "description_format": "rst" -Version comparisons -------------------- +Keywords +-------- -A version comparison clause includes a comparison operator and a version -identifier, and will match any version where the comparison is true. +A list of additional keywords to be used to assist searching for the +distribution in a larger catalog. -Comparison clauses are only needed to cover cases which cannot be handled -with an appropriate compatible release clause, including coping with -dependencies which do not have a robust backwards compatibility policy -and thus break the assumptions of a compatible release clause. +Example:: -The defined comparison operators are ``<``, ``>``, ``<=``, ``>=``, ``==``, -and ``!=``. + "keywords": ["comfy", "chair", "cushions", "too silly", "monty python"] -The ordered comparison operators ``<``, ``>``, ``<=``, ``>=`` are based -on the consistent ordering defined by the standard `Version scheme`_. -The ``==`` and ``!=`` operators are based on a kind of prefix comparison - -trailing ``0``s are implied when comparing numeric version parts of different -lengths. ``1.0 == 1 == 1.0.0``, and ``1.0a1 == ``1.0.0.0a1``. +License +------- + +A string indicating the license covering the distribution where the license +is not a simple selection from the "License" Trove classifiers. See +Classifiers" below. This field may also be used to specify a +particular version of a license which is named via the ``Classifier`` +field, or to indicate a variation or exception to such a license. + +Example:: + + "license": "GPL version 3, excluding DRM provisions" + + +License URL +----------- + +A specific URL referencing the full licence text for this version of the +distribution. + +Example:: + + "license_url": "https://github.com/pypa/pip/blob/1.3.1/LICENSE.txt" .. note:: - The use of ``==`` when defining dependencies for published - distributions is strongly discouraged as it greatly complicates the - deployment of security fixes. The strict version comparison operator - is intended primarily for use when defining dependencies for repeatable - *deployments of applications* while using a shared distribution index. + Like Version URL, this is handled separately from the project URLs + as it is important that it remain accurate for this *specific* + version of the distribution, even if the project later switches to a + different license. + + The project URLs field is intended for more stable references. -Handling of pre-releases ------------------------- +Classifiers +----------- -Pre-releases of any kind, including developmental releases, are implicitly -excluded from all version specifiers, *unless* a pre-release or developmental -release is explicitly mentioned in one of the clauses. For example, these -specifiers implicitly exclude all pre-releases and development -releases of later versions:: +A list of strings, with each giving a single classification value +for the distribution. Classifiers are described in PEP 301 [2]. - 2.2 - >= 1.0 +Example:: -While these specifiers would include at least some of them:: - - 2.2.dev0 - 2.2, != 2.3b2 - >= 1.0a1 - >= 1.0c1 - >= 1.0, != 1.0b2 - >= 1.0, < 2.0.dev123 - -Dependency resolution tools should use the above rules by default, but -should also allow users to request the following alternative behaviours: - -* accept already installed pre-releases for all version specifiers -* retrieve and install available pre-releases for all version specifiers - -Dependency resolution tools may also allow the above behaviour to be -controlled on a per-distribution basis. - -Post-releases and purely numeric releases receive no special treatment - -they are always included unless explicitly excluded. + "classifiers": [ + "Development Status :: 4 - Beta", + "Environment :: Console (Text Based)" + ] -Examples +Contact metadata +================ + +Contact metadata for a distribution is provided to allow users to get +access to more information about the distribution and its maintainers. + +These details are recorded as mappings with the following subfields: + +* ``name``: the name of an individual or group +* ``email``: an email address (this may be a mailing list) +* ``url``: a URL (such as a profile page on a source code hosting service) +* ``type``: one of ``"author"``, ``"maintainer"``, ``"organization"`` + or ``"individual"`` + +The ``name`` subfield is required, the other subfields are optional. + +If no specific contact type is stated, the default is ``individual``. + +The different contact types are as follows: + +* ``author``: the original creator of a distribution +* ``maintainer``: the current lead contributor for a distribution, when + they are not the original creator +* ``individual``: any other individuals involved in the creation of the + distribution +* ``organization``: indicates that these contact details are for an + organization (formal or informal) rather than for a specific individual + +.. note:: + + This is admittedly a little complicated, but it's designed to replace the + Author, Author-Email, Maintainer, Maintainer-Email fields from metadata + 1.2 in a way that allows those distinctions to be fully represented for + lossless translation, while allowing future distributions to pretty + much ignore everything other than the contact/contributor distinction + if they so choose. + +Contact metadata is optional. Automated tools MUST operate correctly if +a distribution does not provide them, including failing cleanly when an +operation depending on one of these fields is requested. + + +Contacts -------- -* ``Requires-Dist: zope.interface (3.1)``: version 3.1 or later, but not - version 4.0 or later. Excludes pre-releases and developmental releases. -* ``Requires-Dist: zope.interface (3.1.0)``: version 3.1.0 or later, but not - version 3.2.0 or later. Excludes pre-releases and developmental releases. -* ``Requires-Dist: zope.interface (==3.1)``: any version that starts - with 3.1, excluding pre-releases and developmental releases. -* ``Requires-Dist: zope.interface (3.1.0,!=3.1.3)``: version 3.1.0 or later, - but not version 3.1.3 and not version 3.2.0 or later. Excludes pre-releases - and developmental releases. For this particular project, this means: "any - version of the 3.1 series but not 3.1.3". This is equivalent to: - ``>=3.1, !=3.1.3, <3.2``. -* ``Requires-Python: 2.6``: Any version of Python 2.6 or 2.7. It - automatically excludes Python 3 or later. -* ``Requires-Python: 3.2, < 3.3``: Specifically requires Python 3.2, - excluding pre-releases. -* ``Requires-Python: 3.3a1``: Any version of Python 3.3+, including - pre-releases like 3.4a1. +A list of contact entries giving the recommended contact points for getting +more information about the project. + +The example below would be suitable for a project that was in the process +of handing over from the original author to a new lead maintainer, while +operating as part of a larger development group. + +Example:: + + "contacts": [ + { + "name": "Python Packaging Authority/Distutils-SIG", + "type": "organization", + "email": "distutils-sig@python.org", + "url": "https://bitbucket.org/pypa/" + }, + { + "name": "Samantha C.", + "type": "maintainer", + "email": "dontblameme@example.org" + }, + { + "name": "Charlotte C.", + "type": "author", + "email": "iambecomingasketchcomedian@example.com" + } + ] -Depending on distributions that use non-compliant version schemes ------------------------------------------------------------------ +Contributors +------------ -A distribution using this version of the metadata standard may need to depend -on another distribution using an earlier version of the metadata standard -and a non-compliant versioning scheme. +A list of contact entries for other contributors not already listed as +current project points of contact. The subfields within the list elements +are the same as those for the main contact field. -The normal ``Requires-Dist`` and ``Setup-Requires-Dist`` fields can be used -for such dependencies, so long as the dependency itself can be expressed -using a compliant version specifier. +Example:: -For more exotic dependencies, a metadata extension would be needed in order -to express the dependencies accurately while still obeying the restrictions -on standard version specifiers. The ``Requires-External`` field may also -be used, but would not be as amenable to automatic processing. + "contributors": [ + {"name": "John C."}, + {"name": "Erik I."}, + {"name": "Terry G."}, + {"name": "Mike P."}, + {"name": "Graeme C."}, + {"name": "Terry J."} + ] + + +Project URLs +------------ + +A mapping of arbitrary text labels to additional URLs relevant to the +project. + +While projects are free to choose their own labels and specific URLs, +it is RECOMMENDED that home page, source control, issue tracker and +documentation links be provided using the labels in the example below. + +URL labels MUST be treated as case insensitive by automated tools, but they +are not required to be valid Python identifiers. Any legal JSON string is +permitted as a URL label. + +Example:: + + "project_urls": { + "Documentation": "https://distlib.readthedocs.org" + "Home": "https://bitbucket.org/pypa/distlib" + "Source": "https://bitbucket.org/pypa/distlib/src" + "Tracker": "https://bitbucket.org/pypa/distlib/issues" + } + + +Dependency metadata +=================== + +Dependency metadata allows distributions to make use of functionality +provided by other distributions, without needing to bundle copies of those +distributions. + +Dependency management is heavily dependent on the version identification +and specification scheme defined in PEP 440. + +.. note:: + + This substantially changes the old two-phase setup vs runtime dependency + model in metadata 1.2 (which was in turn derived from the setuptools + dependency parameters). The translation is that ``dev_requires`` and + ``build_requires`` both map to ``Setup-Requires-Dist`` + in 1.2, while ``requires`` maps to ``Requires-Dist``. To go the other + way, ``Setup-Requires-Dist`` maps to ``build_requires`` and + ``Requires-Dist`` maps to ``requires``. + +All of these fields are optional. Automated tools MUST operate correctly if +a distribution does not provide them, by assuming that a missing field +indicates "Not applicable for this distribution". + + +Dependency specifications +------------------------- + +Individual dependencies are typically defined as strings containing a +distribution name (as found in the ``name`` field). The dependency name +may be followed by an extras specifier (enclosed in square +brackets) and by a version specification (within parentheses). + +See `Extras (optional dependencies)`_ for details on extras and PEP 440 +for details on version specifiers. + +The distribution names should correspond to names as found on the `Python +Package Index`_; while these names are often the same as the module names +as accessed with ``import x``, this is not always the case (especially +for distributions that provide multiple top level modules or packages). + +Example dependency specifications:: + + "Flask" + "Django" + "Pyramid" + "SciPy (0.12)" + "ComfyChair[warmup]" + "ComfyChair[warmup] (> 0.1)" + + +Conditional dependencies +------------------------ + +While many dependencies will be needed to use a distribution at all, others +are needed only on particular platforms or only when particular optional +features of the distribution are needed. To enable this, dependency fields +are marked as either unconditional (indicated by ``requires`` in the field +name) or conditional (indicated by ``may_require``) in the field name. + +Unconditional dependency fields are lists of dependency specifications, with +each entry indicated a required dependency. + +Conditional dependencies are lists of mappings with the following fields: + +* ``dependencies``: a list of relevant dependency specifications +* ``extra``: the name of a set of optional dependencies that are requested + and installed together. See `Extras (optional dependencies)`_ for details. +* ``environment``: an environment marker defining the environment that + needs these dependencies. See `Environment markers`_ for details. + +The ``dependencies`` field is required, as is at least one of ``extra`` and +``environment``. All three fields may be supplied, indicating that the +dependency is needed only when that particular set of additional +dependencies is requested in a particular environment. + +Note that the same extras and environment markers MAY appear in multiple +conditional dependencies. This may happen, for example, if an extra itself +only needs some of its dependencies in specific environments. + +.. note:: + + Technically, you could store the conditional and unconditional + dependencies in a single list and switch based on the entry type + (string or mapping), but the ``*requires`` vs ``*may-require`` two + list design seems easier to understand and work with. + + +Mapping dependencies to development and distribution activities +--------------------------------------------------------------- + +The different categories of dependency are based on the various distribution +and development activities identified above, and govern which dependencies +should be installed for the specified activities: + +* Deployment dependencies: + + * ``requires`` + * ``may_require`` + * Request the ``test`` extra to also install + + * ``test_requires`` + * ``test_may_require`` + +* Build dependencies: + + * ``build_requires`` + * ``build_may_require`` + +* Development dependencies: + + * ``requires`` + * ``may_require`` + * ``build_requires`` + * ``build_may_require`` + * ``test_requires`` + * ``test_may_require`` + * ``dev_requires`` + * ``dev_may_require`` + +To ease compatibility with existing two phase setup/deployment toolchains, +installation tools MAY treat ``dev_requires`` and ``dev_may_require`` as +additions to ``build_requires`` and ``build_may_require`` rather than +as separate fields. + +Installation tools SHOULD allow users to request at least the following +operations for a named distribution: + +* Install the distribution and any deployment dependencies. +* Install just the build dependencies without installing the distribution +* Install just the development dependencies without installing + the distribution + +The notation described in `Extras (optional dependencies)`_ SHOULD be used to +request additional optional dependencies when installing deployment +or build dependencies. + +Installation tools SHOULD report an error if dependencies cannot be found, +MUST at least emit a warning, and MAY allow the user to force the +installation to proceed regardless. + +.. note:: + + As an example of mapping this to Linux distro packages, assume an + example project without any extras defined is split into 2 RPMs + in a SPEC file: example and example-devel + + The ``requires`` and applicable ``may_require`` dependencies would be + mapped to the Requires dependencies for the "example" RPM (a mapping from + environment markers to SPEC file conditions would also allow those to + be handled correctly) + + The ``build_requires`` and ``build_may_require`` dependencies would be + mapped to the BuildRequires dependencies for the "example" RPM. + + All defined dependencies relevant to Linux, including those in + ``dev_requires`` and ``test_requires``, would become Requires + dependencies for the "example-devel" RPM. + + If a project defines any extras, those would be mapped to additional + virtual RPMs with appropriate BuildRequires and Requires entries based + on the details of the dependency specifications. + + A documentation toolchain dependency like Sphinx would either go in + ``build_requires`` (for example, if man pages were included in the + built distribution) or in ``dev_requires`` (for example, if the + documentation is published solely through ReadTheDocs or the + project website). This would be enough to allow an automated converter + to map it to an appropriate dependency in the spec file. + + +Requires +-------- + +A list of other distributions needed when this distribution is deployed. + +Example:: + + "requires": ["SciPy", "PasteDeploy", "zope.interface (>3.5.0)"] + + +Extras +------ + +A list of optional sets of dependencies that may be used to define +conditional dependencies in ``"may_require"`` and similar fields. See +`Extras (optional dependencies)`_ for details. + +The extra name``"test"`` is reserved for requesting the dependencies +specified in ``test_requires`` and ``test_may_require`` and is NOT +permitted in this field. + +Example:: + + "extras": ["warmup"] + + +May require +----------- + +A list of other distributions that may be needed when this distribution +is deployed, based on the extras requested and the target deployment +environment. + +Any extras referenced from this field MUST be named in the `Extras`_ field. + +Example:: + + "may_require": [ + { + "dependencies": ["pywin32 (>1.0)"], + "environment": "sys.platform == 'win32'" + }, + { + "dependencies": ["SoftCushions"], + "extra": "warmup" + } + ] + +Test requires +------------- + +A list of other distributions needed in order to run the automated tests +for this distribution, either during development or when running the +``test_installed_dist`` metabuild when deployed. + +Example:: + + "test_requires": ["unittest2"] + + +Test may require +---------------- + +A list of other distributions that may be needed in order to run the +automated tests for this distribution, either during development or when +running the ``test_installed_dist`` metabuild when deployed, based on the +extras requested and the target deployment environment. + +Any extras referenced from this field MUST be named in the `Extras`_ field. + +Example:: + + "test_may_require": [ + { + "dependencies": ["pywin32 (>1.0)"], + "environment": "sys.platform == 'win32'" + }, + { + "dependencies": ["CompressPadding"], + "extra": "warmup" + } + ] + + +Build requires +-------------- + +A list of other distributions needed when this distribution is being built +(creating a binary archive from a source archive). + +Note that while these are build dependencies for the distribution being +built, the installation is a *deployment* scenario for the dependencies. + +Example:: + + "build_requires": ["setuptools (>= 0.7)"] + + +Build may require +----------------- + +A list of other distributions that may be needed when this distribution +is built (creating a binary archive from a source archive), based on the +features requested and the build environment. + +Note that while these are build dependencies for the distribution being +built, the installation is a *deployment* scenario for the dependencies. + +Any extras referenced from this field MUST be named in the `Extras`_ field. + +Automated tools MAY assume that all extras are implicitly requested when +installing build dependencies. + +Example:: + + "build_may_require": [ + { + "dependencies": ["pywin32 (>1.0)"], + "environment": "sys.platform == 'win32'" + }, + { + "dependencies": ["cython"], + "extra": "c-accelerators" + } + ] + + +Dev requires +------------ + +A list of any additional distributions needed during development of this +distribution that aren't already covered by the deployment and build +dependencies. + +Additional dependencies that may be listed in this field include: + +* tools needed to create a source archive +* tools needed to generate project documentation that is published online + rather than distributed along with the rest of the software +* additional test dependencies for tests which are not executed when the + test is invoked through the ``test_installed_dist`` metabuild hook (for + example, tests that require a local database server and web server and + may not work when fully installed on a production system) + +Example:: + + "dev_requires": ["hgtools", "sphinx (>= 1.0)"] + + +Dev may require +--------------- + +A list of other distributions that may be needed during development of +this distribution, based on the features requested and the build environment. + +This should only be needed if the project's own utility scripts have +platform specific dependencies that aren't already defined as deployment +or build dependencies. + +Any extras referenced from this field MUST be named in the `Extras`_ field. + +Automated tools MAY assume that all extras are implicitly requested when +installing development dependencies. + +Example:: + + "dev_may_require": [ + { + "dependencies": ["pywin32 (>1.0)"], + "environment": "sys.platform == 'win32'" + } + ] + + +Provides +-------- + +A list of strings naming additional dependency requirements that are +satisfied by installing this distribution. These strings must be of the +form ``Name`` or ``Name (Version)``, as for the ``requires`` field. + +While dependencies are usually resolved based on distribution names and +versions, a distribution may provide additional names explicitly in the +``provides`` field. + +For example, this may be used to indicate that multiple projects have +been merged into and replaced by a single distribution or to indicate +that this project is a substitute for another. + +For instance, with distribute merged back into setuptools, the merged +project is able to include a ``"provides": ["distribute"]`` entry to +satisfy any projects that require the now obsolete distribution's name. + +A distribution may also provide a "virtual" project name, which does +not correspond to any separately distributed project: such a name +might be used to indicate an abstract capability which could be supplied +by one of multiple projects. For example, multiple projects might supply +PostgreSQL bindings for use with SQL Alchemy: each project might declare +that it provides ``sqlalchemy-postgresql-bindings``, allowing other +projects to depend only on having at least one of them installed. + +A version declaration may be supplied and must follow the rules described +in PEP 440. The distribution's version identifier will be implied +if none is specified. + +Example:: + + "provides": ["AnotherProject (3.4)", "virtual_package"] + + +Obsoleted by +------------ + +A string that indicates that this project is no longer being developed. The +named project provides a substitute or replacement. + +A version declaration may be supplied and must follow the rules described +in PEP 440. + +Possible uses for this field include handling project name changes and +project mergers. + +For instance, with distribute merging back into setuptools, a new version +of distribute may be released that depends on the new version of setuptools, +and also explicitly indicates that distribute itself is now obsolete. + +Note that without a corresponding ``provides``, there is no expectation +that the replacement project will be a "drop-in" replacement for the +obsolete project - at the very least, upgrading to the new distribution +is likely to require changes to import statements. + +Examples:: + + "name": "BadName", + "obsoleted_by": "AcceptableName" + + "name": "distribute", + "obsoleted_by": "setuptools (>= 0.7)" + + +Supports Environments +--------------------- + +A list of strings specifying the environments that the distribution +explicitly supports. An environment is considered supported if it +matches at least one of the environment markers given. + +If this field is not given in the metadata, it is assumed that the +distribution supports any platform supported by Python. + +Individual entries are environment markers, as described in +`Environment markers`_. + +Installation tools SHOULD report an error if supported platforms are +specified by the distribution and the current platform fails to match +any of them, MUST at least emit a warning, and MAY allow the user to +force the installation to proceed regardless. + +Examples:: + + "supports_environments": ["sys_platform == 'win32'"] + "supports_environments": ["sys_platform != 'win32'"] + "supports_environments": ["'linux' in sys_platform", + "'bsd' in sys_platform"] + + +.. note:: + + This field replaces the old Platform, Requires-Platform and + Requires-Python fields and has been redesigned with environment + marker based semantics that should make it possible to reliably flag, + for example, Unix specific or Windows specific distributions, as well + as Python 2 only and Python 3 only distributions. + + +Metabuild system +================ + +The ``metabuild_hooks`` field is used to define various operations that +may be invoked on a distribution in a platform independent manner. + +The metabuild system currently defines three operations as part of the +deployment of a distribution: + +* Installing to a deployment system +* Uninstalling from a deployment system +* Running the distribution's test suite on a deployment system (hence the + ``test`` runtime extra) + +Distributions may define handles for each of these operations as an +"entry point", a reference to a Python callable, with the module name +separated from the reference within the module by a colon (``:``). + +Example metabuild hooks:: + + "metabuild_hooks": { + "postinstall": "myproject.build_hooks:postinstall", + "preuininstall": "myproject.build_hooks:preuninstall", + "test_installed_dist": "some_test_harness.metabuild_hook" + } + +Build and installation tools MAY offer additional operations beyond the +core metabuild operations. These operations SHOULD be composed from the +defined metabuild operations where appropriate. + +Build and installation tools SHOULD support the legacy ``setup.py`` based +commands for metabuild operations not yet defined as metabuild hooks. + +The metabuild hooks are gathered together into a single top level +``metabuild_hooks`` field. The individual hooks are: + +* ``postinstall``: run after the distribution has been installed to a + target deployment system (or after it has been upgraded). If the hook is + not defined, it indicates no distribution specific actions are needed + following installation. +* ``preuninstall``: run before the distribution has been uninstalled from a + deployment system (or before it is upgraded). If the hook is not defined, + it indicates no distribution specific actions are needed prior to + uninstallation. +* ``test_installed_dist``: test an installed distribution is working. If the + hook is not defined, it indicates the distribution does not support + execution of the test suite after deployment. + +The expected signatures of these hooks are as follows:: + + def postinstall(current_meta, previous_meta=None): + """Run following installation or upgrade of the distribution + + *current_meta* is the distribution metadata for the version now + installed on the current system + *previous_meta* is either missing or ``None`` (indicating a fresh + install) or else the distribution metadata for the version that + was previously installed (indicating an upgrade or downgrade). + """ + + def preuninstall(current_meta, next_meta=None): + """Run prior to uninstallation or upgrade of the distribution + + *current_meta* is the distribution metadata for the version now + installed on the current system + *next_meta* is either missing or ``None`` (indicating complete + uninstallation) or else the distribution metadata for the version + that is about to be installed (indicating an upgrade or downgrade). + """ + + def test_installed_dist(current_meta): + """Check an installed distribution is working correctly + + Note that this check should always be non-destructive as it may be + invoked automatically by some tools. + + Requires that the distribution's test dependencies be installed + (indicated by the ``test`` runtime extra). + + Returns ``True`` if the check passes, ``False`` otherwise. + """ + +Metabuild hooks MUST be called with at least abbreviated metadata, and MAY +be called with full metadata. + +Where necessary, metabuild hooks check for the presence or absence of +optional dependencies defined as extras using the same techniques used +during normal operation of the distribution (for example, checking for +import failures for optional dependencies). + + +Metadata Extensions +=================== + +Extensions to the metadata may be present in a mapping under the +'extensions' key. The keys must meet the same restrictions as +distribution names, while the values may be any type natively supported +in JSON:: + + "extensions" : { + "chili" : { "type" : "Poblano", "heat" : "Mild" }, + "languages" : [ "French", "Italian", "Hebrew" ] + } + +To avoid name conflicts, it is recommended that distribution names be used +to identify metadata extensions. This practice will also make it easier to +find authoritative documentation for metadata extensions. + + +Extras (optional dependencies) +============================== + +Extras are additional dependencies that enable an optional aspect +of the distribution, generally corresponding to a ``try: import +optional_dependency ...`` block in the code. To support the use of the +distribution with or without the optional dependencies they are listed +separately from the distribution's core dependencies and must be requested +explicitly, either in the dependency specifications of another distribution, +or else when issuing a command to an installation tool. + +The names of extras MUST abide by the same restrictions as those for +distribution names. + +Example of a distribution with optional dependencies:: + + "name": "ComfyChair", + "extras": ["warmup", "c-accelerators"] + "may_require": [ + { + "dependencies": ["SoftCushions"], + "extra": "warmup" + } + ] + "build_may_require": [ + { + "dependencies": ["cython"], + "extra": "c-accelerators" + } + ] + +Other distributions require the additional dependencies by placing the +relevant extra names inside square brackets after the distribution name when +specifying the dependency. + +Extra specifications MUST support the following additional syntax: + +* Multiple features can be requested by separating them with a comma within + the brackets. +* All explicitly defined extras may be requested with the ``*`` wildcard + character. Note that this does NOT request the implicitly defined + ``test`` extra - that must always be requested explicitly when it is + desired. +* Extras may be explicitly excluded by prefixing their name with a hyphen. + +Command line based installation tools SHOULD support this same syntax to +allow extras to be requested explicitly. + +The full set of dependency requirements is then based on the top level +dependencies, along with those of any requested extras. + +Example:: + + "requires": ["ComfyChair[warmup]"] + -> requires ``ComfyChair`` and ``SoftCushions`` at run time + + "requires": ["ComfyChair[*]"] + -> requires ``ComfyChair`` and ``SoftCushions`` at run time, but + will also pick up any new optional dependencies other than those + needed solely to run the tests Environment markers =================== -An **environment marker** is a marker that can be added at the end of a -field after a semi-colon (";"), to add a condition about the execution -environment. +An **environment marker** describes a condition about the current execution +environment. They are used to indicate when certain dependencies are only +required in particular environments, and to indicate supported platforms +for distributions with additional constraints beyond the availability of a +Python runtime. -Here are some example of fields using such markers:: +Here are some examples of such markers:: - Requires-Dist: pywin32 (>1.0); sys.platform == 'win32' - Requires-Dist: foo (1,!=1.3); platform.machine == 'i386' - Requires-Dist: bar; python_version == '2.4' or python_version == '2.5' - Requires-External: libxslt; 'linux' in sys.platform + "sys_platform == 'win32'" + "platform_machine == 'i386'" + "python_version == '2.4' or python_version == '2.5'" + "'linux' in sys_platform" + +And here's an example of some conditional metadata for a distribution that +requires PyWin32 both at runtime and buildtime when using Windows:: + + "name": "ComfyChair", + "may_require": [ + { + "dependencies": ["pywin32 (>1.0)"], + "environment": "sys.platform == 'win32'" + } + ] + "build_may_require": [ + { + "dependencies": ["pywin32 (>1.0)"], + "environment": "sys.platform == 'win32'" + } + ] The micro-language behind this is a simple subset of Python: it compares only strings, with the ``==`` and ``in`` operators (and their opposites), @@ -1180,73 +1486,35 @@ The pseudo-grammar is :: MARKER: EXPR [(and|or) EXPR]* EXPR: ("(" MARKER ")") | (SUBEXPR [(in|==|!=|not in) SUBEXPR]) -where ``SUBEXPR`` belongs to any of the following (the details after the -colon in each entry define the value represented by that subexpression): +where ``SUBEXPR`` is either a Python string (such as ``'2.4'``, or +``'win32'``) or one of the following marker variables: -* ``python_version``: '%s.%s' % (sys.version_info[0], sys.version_info[1]) -* ``python_full_version``: sys.version.split()[0] -* ``os.name````: os.name -* ``sys.platform````: sys.platform -* ``platform.version``: platform.version() -* ``platform.machine``: platform.machine() -* ``platform.python_implementation``: = platform.python_implementation() -* ``extra``: (name of requested feature) or None -* ``'text'``: a free string, like ``'2.4'``, or ``'win32'`` +* ``python_version``: ``'{0.major}.{0.minor}'.format(sys.version_info)`` +* ``python_full_version``: see definition below +* ``os_name````: ``os.name`` +* ``sys_platform````: ``sys.platform`` +* ``platform_version``: ``platform.version()`` +* ``platform_machine``: ``platform.machine()`` +* ``platform_python_implementation``: ``platform.python_implementation()`` -Notice that ``in`` and ``not in`` are restricted to strings, meaning that it -is not possible to use other sequences like tuples or lists on the right -side. +Note that all subexpressions are restricted to strings or one of the +marker variable names, meaning that it is not possible to use other +sequences like tuples or lists on the right side of the ``in`` and +``not in`` operators. -The fields that benefit from this marker are: +Unlike Python, chaining of comparison operations is NOT permitted in +environment markers. -* ``Requires-Python`` -* ``Requires-External`` -* ``Requires-Dist`` -* ``Provides-Dist`` -* ``Classifier`` +The ``python_full_version`` marker variable is derived from +``sys.version_info()`` in accordance with the following algorithm:: - -Optional features -================= - -Distributions may use the ``Provides-Extra`` field to declare additional -features provided through "extra" dependencies, usually corresponding to a -``try: import x ...`` block. Environment markers may be used to indicate -that particular dependencies are needed only when a particular optional -feature has been requested. - -Other distributions require the feature by placing it inside -square brackets after the distribution name when declaring the -dependency. Multiple features can be requisted by separating them with -a comma within the brackets. - -The full set of dependency requirements is then the union of the sets -created by first evaluating the `Requires-Dist` fields with `extra` -set to `None` and then to the name of each requested feature. - -Example:: - - Requires-Dist: beaglevote[pdf] - -> requires beaglevote, reportlab at run time - - Setup-Requires-Dist: beaglevote[test, doc] - -> requires beaglevote, sphinx, nose at setup time - -It is an error to request a feature name that has not been declared with -`Provides-Extra` but it is legal to specify `Provides-Extra` without -referencing it in any `Requires-Dist`. - -In the example, if ``beaglevote`` grew the ability to generate PDF -without extra dependencies, it should continue to ``Provides-Extra: -pdf`` for the benefit of dependent distributions. - -The following feature names are implicitly defined for all distributions: - -- `test`: dependencies that are needed in order to run automated tests -- `doc`: dependencies that are needed in order to generate documentation - -Listing these implicit features explicitly in a ``Provides-Extra`` field is -permitted, but not required. + def format_full_version(): + info = sys.version_info + version = '{0.major}.{0.minor}.{0.micro}'.format(info) + kind = info.releaselevel + if kind != 'final': + version += kind[0] + str(info.serial) + return version Updating the metadata specification @@ -1266,67 +1534,52 @@ Summary of differences from \PEP 345 * Metadata-Version is now 2.0, with semantics specified for handling version changes -* Most fields are now optional +* The increasingly complex ad hoc "Key: Value" format has been replaced by + a more structured JSON compatible format that is easily represented as + Python dictionaries, strings, lists. + +* Most fields are now optional and filling in dummy data for omitted fields + is explicitly disallowed * Explicit permission for in-place clarifications without releasing a new version of the specification -* General reformatting of the PEP to make it easier to read +* The PEP now attempts to provide more of an explanation of *why* the fields + exist and how they are intended to be used, rather than being a simple + description of the permitted contents -* Values are now expected to be UTF-8 +* Changed the version scheme to be based on PEP 440 rather than PEP 386 -* Changed the version scheme +* Added the build label mechanism as described in PEP 440 - * added the new ``Private-Version`` field - * changed the top level sort position of the ``.devN`` suffix - * allowed single value version numbers - * explicit exclusion of leading or trailing whitespace - * explicit criterion for the exclusion of date based versions - * incorporated the version scheme directly into the PEP +* Support for different development, build, test and deployment dependencies -* Changed interpretation of version specifiers +* The "Extras" optional dependency mechanism - * implicitly exclude pre-releases unless explicitly requested - * treat post releases the same way as unqualified releases +* A well-defined metadata extension mechanism -* Discuss ordering and dependencies across metadata versions +* Metabuild hook system -* Clarify use of parentheses for grouping in environment marker - pseudo-grammar +* Clarify and simplify various aspects of environment markers: -* Support for packaging, build and installation dependencies + * allow use of parentheses for grouping in the pseudo-grammar + * consistently use underscores instead of periods in the variable names + * clarify that chained comparisons are not permitted - * the new ``Setup-Requires-Dist`` field +* More flexible system for defining contact points and contributors -* Optional feature mechanism +* Defined a recommended set of project URLs - * the new ``Provides-Extra`` field - * ``extra`` expression defined for environment markers - * optional feature support in ``Requires-Dist`` - -* Metadata extension mechanism - - * the new ``Extension`` field and extension specific fields +* New system for defining supported environments * Updated obsolescence mechanism - * the new ``Obsoleted-By`` field - * the ``Obsoletes-Dist`` field has been removed +* Added "License URL" field -* Simpler description format +* Explicit declaration of description markup format - * the ``Description`` field is now deprecated - * A payload (containing the description) may appear after the headers. - -* Other changed fields: - - - ``Requires-Python`` (explicitly flagged as multiple use) - - ``Project-URL`` (commas permitted in labels) - -* Clarified fields: - - - ``Provides-Dist`` - - ``Keywords`` +* With all due respect to Charles Schulz and Peanuts, many of the examples + have been updated to be more `thematically appropriate`_ for Python ;) The rationale for major changes is given in the following sections. @@ -1342,8 +1595,8 @@ versions with the same major version, while major version increments may include changes that are not compatible with existing tools. The major version number of the specification has been incremented -accordingly, as interpreting PEP 426 metadata in accordance with earlier -metadata specifications is unlikely to give the expected behaviour. +accordingly, as interpreting PEP 426 metadata obviously cannot be +interpreted in accordance with earlier metadata specifications. Whenever the major version number of the specification is incremented, it is expected that deployment will take some time, as either metadata @@ -1355,219 +1608,158 @@ provision of multiple versions of the metadata in parallel. Existing tools won't abide by this guideline until they're updated to support the new metadata standard, so the new semantics will first take effect for a hypothetical 2.x -> 3.0 transition. For the 1.x -> 2.0 -transition, it is recommended that tools continue to produce the +transition, we will use the approach where tools continue to produce the existing supplementary files (such as ``entry_points.txt``) in addition to any equivalents specified using the new features of the standard metadata format (including the formal extension mechanism). -Standard encoding and other format clarifications -------------------------------------------------- +Switching to a JSON compatible format +------------------------------------- -Several aspects of the file format, including the expected file encoding, -were underspecified in previous versions of the metadata standard. To -make it easier to develop interoperable tools, these details are now -explicitly specified. +The old "Key:Value" format was becoming increasingly limiting, with various +complexities like parsers needing to know which fields were permitted to +occur more than once, which fields supported the environment marker +syntax (with an optional ``";"`` to separate the value from the marker) and +eventually even the option to embed arbitrary JSON inside particular +subfields. + +The old serialisation format also wasn't amenable to easy conversion to +standard Python data structures for use in the new metabuild hook APIs, or +in future extensions to the importer APIs to allow them to provide +information for inclusion in the installation database. + +Accordingly, we've taken the step of switching to a JSON-compatible metadata +format. This works better for APIs and is much easier for tools to parse and +generate correctly. Changing the name of the metadata file also makes it +easy to distribute 1.x and 2.x metadata in parallel, greatly simplifying +several aspects of the migration to the new metadata format. Changing the version scheme --------------------------- -The new ``Private-Version`` field is intended to make it clearer that the -constraints on public version identifiers are there primarily to aid in -the creation of reliable automated dependency analysis tools. Projects -are free to use whatever versioning scheme they like internally, so long -as they are able to translate it to something the dependency analysis tools -will understand. - -The key change in the version scheme in this PEP relative to that in -PEP 386 is to sort top level developmental releases like ``X.Y.devN`` ahead -of alpha releases like ``X.Ya1``. This is a far more logical sort order, as -projects already using both development releases and alphas/betas/release -candidates do not want their developmental releases sorted in -between their release candidates and their full releases. There is no -rationale for using ``dev`` releases in that position rather than -merely creating additional release candidates. - -The updated sort order also means the sorting of ``dev`` versions is now -consistent between the metadata standard and the pre-existing behaviour -of ``pkg_resources`` (and hence the behaviour of current installation -tools). - -Making this change should make it easier for affected existing projects to -migrate to the latest version of the metadata standard. - -Another change to the version scheme is to allow single number -versions, similar to those used by non-Python projects like Mozilla -Firefox, Google Chrome and the Fedora Linux distribution. This is actually -expected to be more useful for version specifiers (allowing things like -the simple ``Requires-Python: 3`` rather than the more convoluted -``Requires-Python: >= 3.0, < 4``), but it is easier to allow it for both -version specifiers and release numbers, rather than splitting the -two definitions. - -The exclusion of leading and trailing whitespace was made explicit after -a couple of projects with version identifiers differing only in a -trailing ``\n`` character were found on PyPI. - -The exclusion of major release numbers that looks like dates was implied -by the overall text of PEP 386, but not clear in the definition of the -version scheme. This exclusion has been made clear in the definition of -the release component. - -Finally, as the version scheme in use is dependent on the metadata -version, it was deemed simpler to merge the scheme definition directly into -this PEP rather than continuing to maintain it as a separate PEP. - -`Appendix B` shows detailed results of an analysis of PyPI distribution -version information, as collected on 19th February, 2013. This analysis -compares the behaviour of the explicitly ordered version schemes defined in -this PEP and PEP 386 with the de facto standard defined by the behaviour -of setuptools. These metrics are useful, as the intent of both PEPs is to -follow existing setuptools behaviour as closely as is feasible, while -still throwing exceptions for unorderable versions (rather than trying -to guess an appropriate order as setuptools does). - -Overall, the percentage of compatible distributions improves from 97.7% -with PEP 386 to 98.7% with this PEP. While the number of projects affected -in practice was small, some of the affected projects are in widespread use -(such as Pinax and selenium). The surprising ordering discrepancy also -concerned developers and acted as an unnecessary barrier to adoption of -the new metadata standard. - -The data also shows that the pre-release sorting discrepancies are seen -only when analysing *all* versions from PyPI, rather than when analysing -public versions. This is largely due to the fact that PyPI normally reports -only the most recent version for each project (unless maintainers -explicitly configure their project to display additional versions). However, -installers that need to satisfy detailed version constraints often need -to look at all available versions, as they may need to retrieve an older -release. - -Even this PEP doesn't completely eliminate the sorting differences relative -to setuptools: - -* Sorts differently (after translations): 38 / 28194 (0.13 %) -* Sorts differently (no translations): 2 / 28194 (0.01 %) - -The two remaining sort order discrepancies picked up by the analysis are due -to a pair of projects which have PyPI releases ending with a carriage -return, alongside releases with the same version number, only *without* the -trailing carriage return. - -The sorting discrepancies after translation relate mainly to differences -in the handling of pre-releases where the standard mechanism is considered -to be an improvement. For example, the existing pkg_resources scheme will -sort "1.1beta1" *after* "1.1b2", whereas the suggested standard translation -for "1.1beta1" is "1.1b1", which sorts *before* "1.1b2". Similarly, the -pkg_resources scheme will sort "-dev-N" pre-releases differently from -"devN" pre-releases when they occur within the same release, while the -standard scheme will normalize both representations to ".devN" and sort -them by the numeric component. +See PEP 440 for a detailed rationale for the various changes made to the +versioning scheme. -A more opinionated description of the versioning scheme -------------------------------------------------------- +Build labels +------------ -As in PEP 386, the primary focus is on codifying existing practices to make -them more amenable to automation, rather than demanding that existing -projects make non-trivial changes to their workflow. However, the -standard scheme allows significantly more flexibility than is needed -for the vast majority of simple Python packages (which often don't even -need maintenance releases - many users are happy with needing to upgrade to a -new feature release to get bug fixes). - -For the benefit of novice developers, and for experienced developers -wishing to better understand the various use cases, the specification -now goes into much greater detail on the components of the defined -version scheme, including examples of how each component may be used -in practice. - -The PEP also explicitly guides developers in the direction of -semantic versioning (without requiring it), and discourages the use of -several aspects of the full versioning scheme that have largely been -included in order to cover esoteric corner cases in the practices of -existing projects and in repackaging software for Linux distributions. +See PEP 440 for the rationale behind the addition of this field. -Changing the interpretation of version specifiers -------------------------------------------------- - -The previous interpretation of version specifiers made it very easy to -accidentally download a pre-release version of a dependency. This in -turn made it difficult for developers to publish pre-release versions -of software to the Python Package Index, as even marking the package as -hidden wasn't enough to keep automated tools from downloading it, and also -made it harder for users to obtain the test release manually through the -main PyPI web interface. - -The previous interpretation also excluded post-releases from some version -specifiers for no adequately justified reason. - -The updated interpretation is intended to make it difficult to accidentally -accept a pre-release version as satisfying a dependency, while allowing -pre-release versions to be explicitly requested when needed. - -The "some forward compatibility assumed" default version constraint is -taken directly from the Ruby community's "pessimistic version constraint" -operator [4]_ to allow projects to take a cautious approach to forward -compatibility promises, while still easily setting a minimum required -version for their dependencies. It is made the default behaviour rather -than needing a separate operator in order to explicitly discourage -overspecification of dependencies by library developers. The explicit -comparison operators remain available to cope with dependencies with -unreliable or non-existent backwards compatibility policies. - - -Packaging, build and installation dependencies +Development, build and deployment dependencies ---------------------------------------------- -The new ``Setup-Requires-Dist`` field allows a distribution to indicate when -a dependency is needed to package, build or install the distribution, rather -than being needed to run the software after installation. +The separation of the ``requires``, ``build_requires`` and ``dev_requires`` +fields allow a distribution to indicate whether a dependency is needed +specifically to develop, build or deploy the distribution. -This should allow distribution tools to effectively support a wider range of -distribution requirements. +As distribution metadata improves, this should allow much greater control +over where particular dependencies end up being installed . -Support for optional features of distributions ----------------------------------------------- +Support for optional dependencies for distributions +--------------------------------------------------- -The new ``Provides-Extra`` field allows distributions to declare optional -features, and to use environment markers to reduce their dependencies -when those features are not requested. Environment markers may also be -used to require a later version of Python when particular features are -requested. +The new extras system allows distributions to declare optional +features, and to use the ``may_require`` and ``build_may_require`` fields +to indicate when particular dependencies are needed only to support those +features. It is derived from the equivalent system that is already in +widespread use as part of ``setuptools`` and allows that aspect of the +legacy ``setuptools`` metadata to be accurately represented in the new +metadata format. -The ``Requires-Dist`` and ``Setup-Requires-Dist`` fields then allow -distributions to require optional features of other distributions. - -The ``test`` and ``doc`` features are implicitly defined for all -distributions, as one key motivation for this feature is to encourage -distributions to explicitly declare the dependencies needed to run -their automatic tests, or build their documentation, without demanding those -dependencies be present in order to merely install or use the software. +The ``test`` extra is implicitly defined for all distributions, as it +ties in with the new metabuild hook offering a standard way to request +execution of a distribution's test suite. Identifying test suite +dependencies is already one of the most popular uses of the extras system +in ``setuptools``. Support for metadata extensions ------------------------------- -The new ``Extension`` field effectively allows sections of the metadata +The new extension effectively allows sections of the metadata namespace to be delegated to other distributions, while preserving a standard overal format metadata format for easy of processing by distribution tools that do not support a particular extension. -It also works well in combination with the new ``Setup-Requires-Dist`` field +It also works well in combination with the new ``build_requires`` field to allow a distribution to depend on tools which *do* know how to handle -the chosen extension, and the new optional features mechanism, allowing -support for particular extensions to be provided as optional features. +the chosen extension, and the new extras mechanism, allowing support for +particular extensions to be provided as optional features. + + +Support for metabuild hooks +--------------------------- + +The new metabuild system is designed to allow the wheel format to fully +replace direct installation on deployment targets, by allows projects like +Twisted to still execute code following installation from a wheel file. + +Falling back to invoking ``setup.py`` directly rather than using a +metabuild hook will remain an option when relying on version 1.x metadata, +and is also used as the interim solution for installation from source +archives. + +The ``test_installed_dist`` metabuild hook is included as a complement to +the ability to explicitly specify test dependencies. + + +Changes to environment markers +------------------------------ + +The changes to environment markers were just clarifications and +simplifications to make them easier to use. + +The arbitrariness of the choice of ``.`` and ``_`` in the different +variables was addressed by standardising on ``_`` (as these are predefined +variables rather than live references into the Python module namespace) + +The use of parentheses for grouping and the disallowance of chained +comparisons were added to address some underspecified behaviour in the +previous version of the specification. + + +Updated contact information +--------------------------- + +The switch to JSON made it possible to provide a more flexible +system for defining multiple contact points for a project, as well as +listing other contributors. + +The ``type`` concept allows for preservation of the distinction between +the original author of a project, and a lead maintainer that takes over +at a later date. + + +Changes to project URLs +----------------------- + +In addition to allow arbitrary strings as project URL labels, the new +metadata standard also defines a recommend set of four URL labels for +a distribution's home page, documentation, source control and issue tracker. + + +Changes to platform support +--------------------------- + +The new environment marker system makes it possible to define supported +platforms in a way that is actually amenable to automated processing. This +has been used to replace several older fields with poorly defined semantics. + +For the moment, the old ``Requires-External`` field has been removed +entirely. Possible replacements may be explored through the metadata +extension mechanism. Updated obsolescence mechanism ------------------------------ The marker to indicate when a project is obsolete and should be replaced -has been moved to the obsolete project (the new ``Obsoleted-By`` field), +has been moved to the obsolete project (the new ``obsoleted_by`` field), replacing the previous marker on the replacement project (the removed ``Obsoletes-Dist`` field). @@ -1578,19 +1770,228 @@ The ``Obsoletes-Dist`` header is removed rather than deprecated as it is not widely supported, and so removing it does not present any significant barrier to tools and projects adopting the new metadata format. +Explicit markup for description +------------------------------- -Simpler description format +Currently, PyPI attempts to detect the markup format by rendering it as +reStructuredText, and if that fails, treating it as plain text. Allowing +the intended format to be stated explicitly will allow this guessing to be +removed, and more informative error reports to be provided to users when +a rendering error occurs. + +This is especially necessary since PyPI applies additional restrictions to +the rendering process for security reasons, thus a description that renders +correctly on a developer's system may still fail to render on the server. + + +Deferred features +================= + +Several potentially useful features have been deliberately deferred in +order to better prioritise our efforts in migrating to the new metadata +standard. These all reflect information that may be nice to have in the +new metadata, but which can be readily added in metadata 2.1 without +breaking any use cases already supported by metadata 2.0. + +Once the ``pypi``, ``setuptools``, ``pip`` and ``distlib`` projects +support creation and consumption of metadata 2.0, then we may revisit +the creation of metadata 2.1 with these additional features. + +.. note:: + + Given the nature of this PEP as an interoperability specification, + this section will probably be removed before the PEP is accepted. + However, it's useful to have it here while discussion is ongoing. + + +String methods in environment markers +------------------------------------- + +Supporting at least ".startswith" and ".endswith" string methods in +environment markers would allow some conditions to be written more +naturally. For example, ``"sys.platform.startswith('win')"`` is a +somewhat more intuitive way to mark Windows specific dependencies, +since ``"'win' in sys.platform"`` is incorrect thanks to ``cygwin`` +and the fact that 64-bit Windows still shows up as ``win32`` is more +than a little strange. + + +Module listing +-------------- + +A top level ``"module"`` key, referencing a list of strings, with each +giving the fully qualified name of a public package or module provided +by the distribution. + +A flat list would be used in order to correctly accommodate namespace +packages (where a distribution may provide subpackages or submodules without +explicitly providing the parent namespace package). + +Example:: + + "modules": [ + "comfy.chair" + ] + +Explicitly providing a list of public module names will likely help +with enabling features in RPM like "Requires: python(requests)", as well +as providing richer static metadata for analysis from PyPI. + +However, this is just extra info that doesn't impact installing from wheels, +so it is a good candidate for postponing to metadata 2.1. + + +Additional metabuild hooks -------------------------- -Distribution descriptions are often quite long, sometimes including a -short guide to using the module. Moving them into the file payload allows -them to be formatted neatly as reStructuredText without needing to -carefully avoid the introduction of a blank line that would terminate -the header section. +The following draft metabuild operations have been deferred for now: -The ``Description`` header is deprecated rather than removed to support -easier conversion of existing tools and projects to the new metadata -format. +* Generating the metadata file on a development system +* Generating a source archive on a development system +* Generating a binary archive on a build system + +Metadata 2.0 deliberately focuses on wheel based installation, leaving +tarball and sdist based installation to use the existing ``setup.py`` +based ``distutils`` command interface. + +In the meantime, the above four operations will continue to be handled +through the ``distutils``/``setuptools`` command system: + +* ``python setup.py dist_info`` +* ``python setup.py sdist`` +* ``python setup.py bdist_wheel`` + +The following additional metabuild hooks may be added in metadata 2.1 to +cover these operations without relying on ``setup.py``: + +* ``make_dist_info``: generate the source archive's dist_info directory +* ``make_sdist``: construct a source archive +* ``build_wheel``: construct a binary wheel archive from an sdist source + archive + +Tentative signatures have been designed for those hooks, but they will +not be pursued further until 2.1 (note that the current signatures for +the hooks do *not* adequately handle the "extras" concept):: + + def make_dist_info(source_dir, info_dir): + """Generate the contents of dist_info for an sdist archive + + *source_dir* points to a source checkout or unpacked tarball + *info_dir* is the destination where the sdist metadata files should + be written + + Returns the distribution metadata as a dictionary. + """ + + def make_sdist(source_dir, contents_dir, info_dir): + """Generate the contents of an sdist archive + + *source_dir* points to a source checkout or unpacked tarball + *contents_dir* is the destination where the sdist contents should be + written (note that archiving the contents is the responsibility of + the metabuild tool rather than the hook function) + *info_dir* is the destination where the sdist metadata files should + be written + + Returns the distribution metadata as a dictionary. + """ + + def build_wheel(sdist_dir, contents_dir, info_dir, compatibility=None): + """Generate the contents of a wheel archive + + *source_dir* points to an unpacked source archive + *contents_dir* is the destination where the wheel contents should be + written (note that archiving the contents is the responsibility of + the metabuild tool rather than the hook function) + *info_dir* is the destination where the wheel metadata files should + be written + *compatibility* is an optional PEP 425 compatibility tag indicating + the desired target compatibility for the build. If the tag cannot + be satisfied, the hook should throw ``ValueError``. + + Returns the actual compatibility tag for the build + """ + + +Rejected Features +================= + +The following features have been explicitly considered and rejected as +introducing too much additional complexity for too small a gain in +expressiveness. + +.. note:: + + Given the nature of this PEP as an interoperability specification, + this section will probably be removed before the PEP is accepted. + However, it's useful to have it here while discussion is ongoing. + + +Detached metadata +----------------- + +Rather than allowing some large items (such as the description field) to +be distributed separately, this PEP instead defines two metadata subsets +that should support more reasonable caching and API designs (for example, +only the essential dependency resolution metadata would be distributed +through TUF, and it is entirely possible the updated sdist, wheel and +installation database specs will use the abbreviated metadata, leaving +the full metadata as the province of index servers). + + +Alternative dependencies +------------------------ + +An earlier draft of this PEP considered allowing lists in place of the +usual strings in dependency specifications to indicate that there aren +multiple ways to satisfy a dependency. + +If at least one of the individual dependencies was already available, then +the entire dependency would be considered satisfied, otherwise the first +entry would be added to the dependency set. + +Alternative dependency specification example:: + + ["Pillow", "PIL"] + ["mysql", "psycopg2 (>= 4)", "sqlite3"] + +However, neither of the given examples is particularly compelling, +since Pillow/PIL style forks aren't common, and the database driver use +case would arguably be better served by an SQL Alchemy defined "supported +database driver" metadata extension where a project depends on SQL Alchemy, +and then declares in the extension which database drivers are checked for +compatibility by the upstream project (similar to the advisory +``supports-platform`` field in the main metadata). + +We're also getting better support for "virtual provides" in this version of +the metadata standard, so this may end up being an installer and index +server problem to better track and publish those. + + +Compatible release comparisons in environment markers +----------------------------------------------------- + +PEP 440 defines a rich syntax for version comparisons that could +potentially be useful with ``python_version`` and ``python_full_version`` +in environment markers. However, allowing the full syntax would mean +environment markers are no longer a Python subset, while allowing +only some of the comparisons would introduce yet another special case +to handle. + +Given that environment markers are only used in cases where a higher level +"or" is implied by the metadata structure, it seems easier to require the +use of multiple comparisons against specific Python versions for the rare +cases where this would be useful. + + +Conditional provides +-------------------- + +Under the revised metadata design, conditional "provides" based on runtime +features or the environment would go in a separate "may_provide" field. +However, I'm not convinced there's a great use case for that, so the idea +is rejected unless someone can present a compelling use case (and even then +the idea wouldn't be reconsidered until metadata 2.1 at the earliest). References @@ -1607,145 +2008,14 @@ justifications for needing such a standard can be found in PEP 386. .. [1] reStructuredText markup: http://docutils.sourceforge.net/ -.. _`Python Package Index`: http://pypi.python.org/pypi/ +.. _Python Package Index: http://pypi.python.org/pypi/ .. [2] PEP 301: http://www.python.org/dev/peps/pep-0301/ -.. [3] Version compatibility analysis script: - http://hg.python.org/peps/file/default/pep-0426/pepsort.py +.. _thematically appropriate: https://www.youtube.com/watch?v=CSe38dzJYkY -.. [4] Pessimistic version constraint - http://docs.rubygems.org/read/chapter/16 - -Appendix A -========== - -The script used for this analysis is available at [3]_. - -Parsing and generating the Metadata 2.0 serialization format using -Python 3.3:: - - # Metadata 2.0 demo - from email.generator import Generator - from email import header - from email.parser import Parser - from email.policy import Compat32 - from email.utils import _has_surrogates - - class MetadataPolicy(Compat32): - max_line_length = 0 - continuation_whitespace = '\t' - - def _sanitize_header(self, name, value): - if not isinstance(value, str): - return value - if _has_surrogates(value): - raise NotImplementedError() - else: - return value - - def _fold(self, name, value, sanitize): - body = ((self.linesep+self.continuation_whitespace) - .join(value.splitlines())) - return ''.join((name, ': ', body, self.linesep)) - - if __name__ == "__main__": - import sys - import textwrap - - pkg_info = """\ - Metadata-Version: 2.0 - Name: package - Version: 0.1.0 - Summary: A package. - Description: Description - =========== - - A description of the package. - - """ - - m = Parser(policy=MetadataPolicy()).parsestr(pkg_info) - - m['License'] = 'GPL' - description = m['Description'] - description_lines = description.splitlines() - m.set_payload(description_lines[0] - + '\n' - + textwrap.dedent('\n'.join(description_lines[1:])) - + '\n') - del m['Description'] - - # Correct if sys.stdout.encoding == 'UTF-8': - Generator(sys.stdout, maxheaderlen=0).flatten(m) - -Appendix B -========== - -Metadata v2.0 guidelines versus setuptools:: - - $ ./pepsort.py - Comparing PEP 426 version sort to setuptools. - - Analysing release versions - Compatible: 24477 / 28194 (86.82 %) - Compatible with translation: 247 / 28194 (0.88 %) - Compatible with filtering: 84 / 28194 (0.30 %) - No compatible versions: 420 / 28194 (1.49 %) - Sorts differently (after translations): 0 / 28194 (0.00 %) - Sorts differently (no translations): 0 / 28194 (0.00 %) - No applicable versions: 2966 / 28194 (10.52 %) - - Analysing public versions - Compatible: 25600 / 28194 (90.80 %) - Compatible with translation: 1505 / 28194 (5.34 %) - Compatible with filtering: 13 / 28194 (0.05 %) - No compatible versions: 420 / 28194 (1.49 %) - Sorts differently (after translations): 0 / 28194 (0.00 %) - Sorts differently (no translations): 0 / 28194 (0.00 %) - No applicable versions: 656 / 28194 (2.33 %) - - Analysing all versions - Compatible: 24239 / 28194 (85.97 %) - Compatible with translation: 2833 / 28194 (10.05 %) - Compatible with filtering: 513 / 28194 (1.82 %) - No compatible versions: 320 / 28194 (1.13 %) - Sorts differently (after translations): 38 / 28194 (0.13 %) - Sorts differently (no translations): 2 / 28194 (0.01 %) - No applicable versions: 249 / 28194 (0.88 %) - -Metadata v1.2 guidelines versus setuptools:: - - $ ./pepsort.py 386 - Comparing PEP 386 version sort to setuptools. - - Analysing release versions - Compatible: 24244 / 28194 (85.99 %) - Compatible with translation: 247 / 28194 (0.88 %) - Compatible with filtering: 84 / 28194 (0.30 %) - No compatible versions: 648 / 28194 (2.30 %) - Sorts differently (after translations): 0 / 28194 (0.00 %) - Sorts differently (no translations): 0 / 28194 (0.00 %) - No applicable versions: 2971 / 28194 (10.54 %) - - Analysing public versions - Compatible: 25371 / 28194 (89.99 %) - Compatible with translation: 1507 / 28194 (5.35 %) - Compatible with filtering: 12 / 28194 (0.04 %) - No compatible versions: 648 / 28194 (2.30 %) - Sorts differently (after translations): 0 / 28194 (0.00 %) - Sorts differently (no translations): 0 / 28194 (0.00 %) - No applicable versions: 656 / 28194 (2.33 %) - - Analysing all versions - Compatible: 23969 / 28194 (85.01 %) - Compatible with translation: 2789 / 28194 (9.89 %) - Compatible with filtering: 530 / 28194 (1.88 %) - No compatible versions: 547 / 28194 (1.94 %) - Sorts differently (after translations): 96 / 28194 (0.34 %) - Sorts differently (no translations): 14 / 28194 (0.05 %) - No applicable versions: 249 / 28194 (0.88 %) +.. _TR39: http://www.unicode.org/reports/tr39/tr39-1.html#Confusable_Detection Copyright diff --git a/pep-0440.txt b/pep-0440.txt index db05e9627..71298acb4 100644 --- a/pep-0440.txt +++ b/pep-0440.txt @@ -9,82 +9,52 @@ Status: Draft Type: Standards Track Content-Type: text/x-rst Created: 18 Mar 2013 -Post-History: 30 Mar 2013 +Post-History: 30 Mar 2013, 27-May-2013 Replaces: 386 Abstract ======== -This PEP describes a scheme for identifying versions of Python -software distributions, and declaring dependencies on particular -versions. +This PEP describes a scheme for identifying versions of Python software +distributions, and declaring dependencies on particular versions. -This document addresses several limitations of the previous attempt at -a standardised approach to versioning, as described in PEP 345 and PEP -386. +This document addresses several limitations of the previous attempt at a +standardised approach to versioning, as described in PEP 345 and PEP 386. .. note:: - This PEP has been broken out of the metadata 2.0 specification in - PEP 426 and refers to some details that will be in the *next* - version of PEP 426. + This PEP was broken out of the metadata 2.0 specification in PEP 426. + + Unlike PEP 426, the notes that remain in this document are intended as + part of the final specification. Definitions =========== The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", -"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this +"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. -"Distributions" are deployable software components published through -an index server or otherwise made available for installation. +The following terms are to be interpreted as described in PEP 426: -"Versions" are uniquely identified snapshots of a distribution. - -"Distribution archives" are the packaged files which are used to -publish and distribute the software. "Source archives" require a -build system to be available on the target system, while "binary -archives" only require that prebuilt files be moved to the correct -location on the target system. As Python is a dynamically bound -cross-platform language, many "binary" archives will contain only pure -Python source code. - -"Build tools" are automated tools intended to run on development -systems, producing source and binary distribution archives. Build -tools may also be invoked by installation tools in order to install -software distributed as source archives rather than prebuilt binary -archives. - -"Index servers" are active distribution registries which publish -version and dependency metadata and place constraints on the permitted -metadata. - -"Publication tools" are automated tools intended to run on development -systems and upload source and binary distribution archives to index -servers. - -"Installation tools" are automated tools intended to run on production -systems, consuming source and binary distribution archives from an -index server or other designated location and deploying them to the -target system. - -"Automated tools" is a collective term covering build tools, index -servers, publication tools, installation tools and any other software -that produces or consumes distribution version and dependency -metadata. - -"Projects" refers to the developers that manage the creation of a -particular distribution. +* "Distributions" +* "Versions" +* "Build tools" +* "Index servers" +* "Publication tools" +* "Installation tools" +* "Automated tools" +* "Projects" Version scheme ============== -Distribution versions are identified by both a public version -identifier, which supports all defined version comparison operations, -and a build label, which supports only strict equality comparisons. +Distribution versions are identified by both a public version identifier, +which supports all defined version comparison operations, and a build +label, which supports only strict equality comparisons. The version scheme is used both to describe the distribution version provided by a particular distribution archive, as well as to place @@ -99,14 +69,13 @@ Public version identifiers MUST comply with the following scheme:: N[.N]+[{a|b|c|rc}N][.postN][.devN] -Public version identifiers MUST NOT include leading or trailing -whitespace. +Public version identifiers MUST NOT include leading or trailing whitespace. Public version identifiers MUST be unique within a given distribution. -Installation tools SHOULD ignore any public versions which do not -comply with this scheme. Installation tools MAY warn the user when -non-compliant or ambiguous versions are detected. +Installation tools SHOULD ignore any public versions which do not comply with +this scheme. Installation tools MAY warn the user when non-compliant +or ambiguous versions are detected. Public version identifiers are separated into up to four segments: @@ -115,22 +84,19 @@ Public version identifiers are separated into up to four segments: * Post-release segment: ``.postN`` * Development release segment: ``.devN`` -Any given version will be a "release", "pre-release", "post-release" -or "developmental release" as defined in the following sections. +Any given version will be a "release", "pre-release", "post-release" or +"developmental release" as defined in the following sections. .. note:: - Some hard to read version identifiers are permitted by this scheme - in order to better accommodate the wide range of versioning - practices across existing public and private Python projects, given - the constraint that the package index is not yet sophisticated - enough to allow the introduction of a simpler, - backwards-incompatible scheme. + Some hard to read version identifiers are permitted by this scheme in + order to better accommodate the wide range of versioning practices + across existing public and private Python projects. Accordingly, some of the versioning practices which are technically - permitted by the PEP are strongly discouraged for new projects. - Where this is the case, the relevant details are noted in the - following sections. + permitted by the PEP are strongly discouraged for new projects. Where + this is the case, the relevant details are noted in the following + sections. Build labels @@ -138,42 +104,44 @@ Build labels Build labels are text strings with minimal defined semantics. -To ensure build labels can be readily incorporated in file names and -URLs, they MUST be comprised of only ASCII alphanumerics, plus signs, +To ensure build labels can be readily incorporated as part of file names +and URLs, they MUST be comprised of only ASCII alphanumerics, plus signs, periods and hyphens. In addition, build labels MUST be unique within a given distribution. +As with distribution names, all comparisons of build labels MUST be case +insensitive. + Releases -------- -A version identifier that consists solely of a release segment is -termed a "release". +A version identifier that consists solely of a release segment is termed +a "release". -The release segment consists of one or more non-negative integer -values, separated by dots:: +The release segment consists of one or more non-negative integer values, +separated by dots:: N[.N]+ Releases within a project will typically be numbered in a consistently increasing fashion. -Comparison and ordering of release segments considers the numeric -value of each component of the release segment in turn. When -comparing release segments with different numbers of components, the -shorter segment is padded out with additional zeroes as necessary. +Comparison and ordering of release segments considers the numeric value +of each component of the release segment in turn. When comparing release +segments with different numbers of components, the shorter segment is +padded out with additional zeroes as necessary. -Date based release numbers are technically compatible with this -scheme, but their use is not consistent with the expected API -versioning semantics described below. Accordingly, automated tools -SHOULD at least issue a warning when encountering a leading release -component greater than or equal to ``1980`` and MAY treat this case as -an error. +Date based release numbers are declared to be incompatible with this scheme, +as their use is not consistent with the expected API versioning semantics +described below. Accordingly, automated tools SHOULD report an error +when encountering a leading release component greater than or equal +to ``1980``. -While any number of additional components after the first are -permitted under this scheme, the most common variants are to use two -components ("major.minor") or three components ("major.minor.micro"). +While any number of additional components after the first are permitted +under this scheme, the most common variants are to use two components +("major.minor") or three components ("major.minor.micro"). For example:: @@ -189,78 +157,76 @@ For example:: 2.0 2.0.1 -A release series is any set of release numbers that start with a -common prefix. For example, ``3.3.1``, ``3.3.5`` and ``3.3.9.45`` are -all part of the ``3.3`` release series. +A release series is any set of release numbers that start with a common +prefix. For example, ``3.3.1``, ``3.3.5`` and ``3.3.9.45`` are all +part of the ``3.3`` release series. .. note:: - ``X.Y`` and ``X.Y.0`` are not considered distinct release numbers, - as the release segment comparison rules implicit expand the two - component form to ``X.Y.0`` when comparing it to any release - segment that includes three components. + ``X.Y`` and ``X.Y.0`` are not considered distinct release numbers, as + the release segment comparison rules implicit expand the two component + form to ``X.Y.0`` when comparing it to any release segment that includes + three components. Pre-releases ------------ -Some projects use an "alpha, beta, release candidate" pre-release -cycle to support testing by their users prior to a full release. +Some projects use an "alpha, beta, release candidate" pre-release cycle to +support testing by their users prior to a final release. -If used as part of a project's development cycle, these pre-releases -are indicated by including a pre-release segment in the version -identifier:: +If used as part of a project's development cycle, these pre-releases are +indicated by including a pre-release segment in the version identifier:: X.YaN # Alpha release X.YbN # Beta release - X.YcN # Release candidate (alternative notation: X.YrcN) - X.Y # Full release + X.YcN # Candidate release (alternative notation: X.YrcN) + X.Y # Final release A version identifier that consists solely of a release segment and a pre-release segment is termed a "pre-release". The pre-release segment consists of an alphabetical identifier for the -pre-release phase, along with a non-negative integer value. -Pre-releases for a given release are ordered first by phase (alpha, -beta, release candidate) and then by the numerical component within -that phase. +pre-release phase, along with a non-negative integer value. Pre-releases for +a given release are ordered first by phase (alpha, beta, release candidate) +and then by the numerical component within that phase. -Build tools, publication tools and index servers SHOULD disallow the -creation of both ``c`` and ``rc`` releases for a common release -segment, but this may need to be tolerated in order to handle some -existing legacy distributions. +Installation tools MAY accept both ``c`` and ``rc`` releases for a common +release segment in order to handle some existing legacy distributions. -Installation tools SHOULD interpret all ``rc`` versions as coming -after all ``c`` versions (that is, ``rc1`` indicates a later version -than ``c2``). Installation tools MAY warn the user when such -ambiguous versions are detected, or even reject them entirely. +Installation tools SHOULD interpret all ``rc`` versions as coming after all +``c`` versions (that is, ``rc1`` indicates a later version than ``c2``). +Installation tools MAY warn the user when such ambiguous versions are +detected, or even reject them entirely. + +Build tools, publication tools and index servers SHOULD disallow the creation +of both ``c`` and ``rc`` releases for a common release segment. Post-releases ------------- -Some projects use post-releases to address minor errors in a release -that do not affect the distributed software (for example, correcting -an error in the release notes). +Some projects use post-releases to address minor errors in a release that +do not affect the distributed software (for example, correcting an error +in the release notes). -If used as part of a project's development cycle, these post-releases -are indicated by including a post-release segment in the version -identifier:: +If used as part of a project's development cycle, these post-releases are +indicated by including a post-release segment in the version identifier:: X.Y.postN # Post-release A version identifier that includes a post-release segment without a developmental release segment is termed a "post-release". -The post-release segment consists of the string ``.post``, followed by -a non-negative integer value. Post-releases are ordered by their +The post-release segment consists of the string ``.post``, followed by a +non-negative integer value. Post-releases are ordered by their numerical component, immediately following the corresponding release, and ahead of any subsequent release. .. note:: The use of post-releases to publish maintenance releases containing - actual bug fixes is strongly discouraged. In general, it is better + actual bug fixes is strongly discouraged. In general, it is better to use a longer release number and increment the final component for each maintenance release. @@ -273,22 +239,22 @@ Post-releases are also permitted for pre-releases:: .. note:: Creating post-releases of pre-releases is strongly discouraged, as - it makes the version identifier difficult to parse for human - readers. In general, it is substantially clearer to simply create - a new pre-release by incrementing the numeric component. + it makes the version identifier difficult to parse for human readers. + In general, it is substantially clearer to simply create a new + pre-release by incrementing the numeric component. Developmental releases ---------------------- -Some projects make regular developmental releases, and system -packagers (especially for Linux distributions) may wish to create -early releases directly from source control which do not conflict with -later project releases. +Some projects make regular developmental releases, and system packagers +(especially for Linux distributions) may wish to create early releases +directly from source control which do not conflict with later project +releases. If used as part of a project's development cycle, these developmental -releases are indicated by including a developmental release segment in -the version identifier:: +releases are indicated by including a developmental release segment in the +version identifier:: X.Y.devN # Developmental release @@ -296,11 +262,10 @@ A version identifier that includes a developmental release segment is termed a "developmental release". The developmental release segment consists of the string ``.dev``, -followed by a non-negative integer value. Developmental releases are -ordered by their numerical component, immediately before the -corresponding release (and before any pre-releases with the same -release segment), and following any previous release (including any -post-releases). +followed by a non-negative integer value. Developmental releases are ordered +by their numerical component, immediately before the corresponding release +(and before any pre-releases with the same release segment), and following +any previous release (including any post-releases). Developmental releases are also permitted for pre-releases and post-releases:: @@ -313,27 +278,24 @@ post-releases:: .. note:: Creating developmental releases of pre-releases is strongly - discouraged, as it makes the version identifier difficult to parse - for human readers. In general, it is substantially clearer to - simply create additional pre-releases by incrementing the numeric - component. + discouraged, as it makes the version identifier difficult to parse for + human readers. In general, it is substantially clearer to simply create + additional pre-releases by incrementing the numeric component. - Developmental releases of post-releases are also strongly - discouraged, but they may be appropriate for projects which use the - post-release notation for full maintenance releases which may - include code changes. + Developmental releases of post-releases are also strongly discouraged, + but they may be appropriate for projects which use the post-release + notation for full maintenance releases which may include code changes. Examples of compliant version schemes ------------------------------------- The standard version scheme is designed to encompass a wide range of -identification practices across public and private Python projects. -In practice, a single project attempting to use the full flexibility -offered by the scheme would create a situation where human users had -difficulty figuring out the relative order of versions, even though -the rules above ensure all compliant tools will order them -consistently. +identification practices across public and private Python projects. In +practice, a single project attempting to use the full flexibility offered +by the scheme would create a situation where human users had difficulty +figuring out the relative order of versions, even though the rules above +ensure all compliant tools will order them consistently. The following examples illustrate a small selection of the different approaches projects may choose to identify their releases, while still @@ -357,7 +319,7 @@ Simple "major.minor.micro" versioning:: 1.2.0 ... -"major.minor" versioning with alpha, beta and release candidate +"major.minor" versioning with alpha, beta and candidate pre-releases:: 0.9 @@ -369,8 +331,8 @@ pre-releases:: 1.1a1 ... -"major.minor" versioning with developmental releases, release -candidates and post-releases for minor corrections:: +"major.minor" versioning with developmental releases, release candidates +and post-releases for minor corrections:: 0.9 1.0.dev1 @@ -394,9 +356,9 @@ Summary of permitted suffixes and relative ordering automatically process distribution metadata, rather than developers of Python distributions deciding on a versioning scheme. -The release segment of version identifiers MUST be sorted in the same -order as Python's tuple sorting when the release segment is parsed as -follows:: +The release segment of version identifiers MUST be sorted in +the same order as Python's tuple sorting when the release segment is +parsed as follows:: tuple(map(int, release_segment.split("."))) @@ -409,28 +371,26 @@ are permitted and MUST be ordered as shown:: .devN, aN, bN, cN, rcN, , .postN Note that `rc` will always sort after `c` (regardless of the numeric -component) although they are semantically equivalent. Tools are free -to reject this case as ambiguous and remain in compliance with the -PEP. +component) although they are semantically equivalent. Tools are free to +reject this case as ambiguous and remain in compliance with the PEP. Within an alpha (``1.0a1``), beta (``1.0b1``), or release candidate -(``1.0c1``, ``1.0rc1``), the following suffixes are permitted and MUST -be ordered as shown:: +(``1.0c1``, ``1.0rc1``), the following suffixes are permitted and MUST be +ordered as shown:: .devN, , .postN -Within a post-release (``1.0.post1``), the following suffixes are -permitted and MUST be ordered as shown:: +Within a post-release (``1.0.post1``), the following suffixes are permitted +and MUST be ordered as shown:: .devN, -Note that ``devN`` and ``postN`` MUST always be preceded by a dot, -even when used immediately following a numeric version -(e.g. ``1.0.dev456``, ``1.0.post1``). +Note that ``devN`` and ``postN`` MUST always be preceded by a dot, even +when used immediately following a numeric version (e.g. ``1.0.dev456``, +``1.0.post1``). -Within a pre-release, post-release or development release segment with -a shared prefix, ordering MUST be by the value of the numeric -component. +Within a pre-release, post-release or development release segment with a +shared prefix, ordering MUST be by the value of the numeric component. The following example covers many of the possible combinations:: @@ -454,70 +414,67 @@ The following example covers many of the possible combinations:: Version ordering across different metadata versions --------------------------------------------------- -Metadata v1.0 (PEP 241) and metadata v1.1 (PEP 314) do not specify a -standard version identification or ordering scheme. This PEP does not -mandate any particular approach to handling such versions, but -acknowledges that the de facto standard for ordering them is the -scheme used by the ``pkg_resources`` component of ``setuptools``. +Metadata v1.0 (PEP 241) and metadata v1.1 (PEP 314) do not +specify a standard version identification or ordering scheme. This PEP does +not mandate any particular approach to handling such versions, but +acknowledges that the de facto standard for ordering them is +the scheme used by the ``pkg_resources`` component of ``setuptools``. -Software that automatically processes distribution metadata SHOULD -attempt to normalize non-compliant version identifiers to the standard -scheme, and ignore them if normalization fails. As any normalization -scheme will be implementation specific, this means that projects using -non-compliant version identifiers may not be handled consistently -across different tools, even when correctly publishing the earlier -metadata versions. +Software that automatically processes distribution metadata SHOULD attempt +to normalize non-compliant version identifiers to the standard scheme, and +ignore them if normalization fails. As any normalization scheme will be +implementation specific, this means that projects using non-compliant +version identifiers may not be handled consistently across different +tools, even when correctly publishing the earlier metadata versions. -For distributions currently using non-compliant version identifiers, -these filtering guidelines mean that it should be enough for the -project to simply switch to the use of compliant version identifiers -to ensure consistent handling by automated tools. +For distributions currently using non-compliant version identifiers, these +filtering guidelines mean that it should be enough for the project to +simply switch to the use of compliant version identifiers to ensure +consistent handling by automated tools. -Distribution users may wish to explicitly remove non-compliant -versions from any private package indexes they control. +Distribution users may wish to explicitly remove non-compliant versions from +any private package indexes they control. -For metadata v1.2 (PEP 345), the version ordering described in this -PEP SHOULD be used in preference to the one defined in PEP 386. +For metadata v1.2 (PEP 345), the version ordering described in this PEP +SHOULD be used in preference to the one defined in PEP 386. Compatibility with other version schemes ---------------------------------------- Some projects may choose to use a version scheme which requires -translation in order to comply with the public version scheme defined -in this PEP. In such cases, the build label can be used to record the -project specific version as an arbitrary label, while the translated -public version is published in the version field. +translation in order to comply with the public version scheme defined in +this PEP. In such cases, the build label can be used to +record the project specific version as an arbitrary label, while the +translated public version is published in the version field. -This allows automated distribution tools to provide consistently -correct ordering of published releases, while still allowing -developers to use the internal versioning scheme they prefer for their -projects. +This allows automated distribution tools to provide consistently correct +ordering of published releases, while still allowing developers to use +the internal versioning scheme they prefer for their projects. Semantic versioning ~~~~~~~~~~~~~~~~~~~ -`Semantic versioning`_ is a popular version identification scheme that -is more prescriptive than this PEP regarding the significance of -different elements of a release number. Even if a project chooses not -to abide by the details of semantic versioning, the scheme is worth -understanding as it covers many of the issues that can arise when -depending on other distributions, and when publishing a distribution -that others rely on. +`Semantic versioning`_ is a popular version identification scheme that is +more prescriptive than this PEP regarding the significance of different +elements of a release number. Even if a project chooses not to abide by +the details of semantic versioning, the scheme is worth understanding as +it covers many of the issues that can arise when depending on other +distributions, and when publishing a distribution that others rely on. The "Major.Minor.Patch" (described in this PEP as "major.minor.micro") -aspects of semantic versioning (clauses 1-9 in the 2.0.0-rc-1 -specification) are fully compatible with the version scheme defined in -this PEP, and abiding by these aspects is encouraged. +aspects of semantic versioning (clauses 1-9 in the 2.0.0-rc-1 specification) +are fully compatible with the version scheme defined in this PEP, and abiding +by these aspects is encouraged. Semantic versions containing a hyphen (pre-releases - clause 10) or a -plus sign (builds - clause 11) are *not* compatible with this PEP and -are not permitted in the public version field. +plus sign (builds - clause 11) are *not* compatible with this PEP +and are not permitted in the public version field. -One possible mechanism to translate such semantic versioning based -build labels to compatible public versions is to use the ``.devN`` -suffix to specify the appropriate version order. +One possible mechanism to translate such semantic versioning based build +labels to compatible public versions is to use the ``.devN`` suffix to +specify the appropriate version order. .. _Semantic versioning: http://semver.org/ @@ -525,158 +482,167 @@ suffix to specify the appropriate version order. DVCS based version labels ~~~~~~~~~~~~~~~~~~~~~~~~~ -Many build tools integrate with distributed version control systems -like Git and Mercurial in order to add an identifying hash to the -version identifier. As hashes cannot be ordered reliably such -versions are not permitted in the public version field. +Many build tools integrate with distributed version control systems like +Git and Mercurial in order to add an identifying hash to the version +identifier. As hashes cannot be ordered reliably such versions are not +permitted in the public version field. -As with semantic versioning, the public ``.devN`` suffix may be used -to uniquely identify such releases for publication, while the build -label is used to record the original DVCS based version label. +As with semantic versioning, the public ``.devN`` suffix may be used to +uniquely identify such releases for publication, while the build label is +used to record the original DVCS based version label. Date based versions ~~~~~~~~~~~~~~~~~~~ As with other incompatible version schemes, date based versions can be -stored in the build label field. Translating them to a compliant -public version is straightforward: use a leading "0." prefix in the -public version label, with the date based version number as the -remaining components in the release segment. +stored in the build label field. Translating them to a compliant +public version is straightforward: use a leading ``"0."`` prefix in the +public version label, with the date based version number as the remaining +components in the release segment. This has the dual benefit of allowing subsequent migration to version -numbering based on API compatibility, as well as triggering more -appropriate version comparison semantics. +numbering based on API compatibility, as well as triggering more appropriate +version comparison semantics. Version specifiers ================== -A version specifier consists of a series of version clauses, separated -by commas. For example:: +A version specifier consists of a series of version clauses, separated by +commas. For example:: - 0.9, >= 1.0, != 1.3.4.*, < 2.0 + 0.9, ~= 0.9, >= 1.0, != 1.3.4.*, < 2.0 -The comparison operator (or lack thereof) determines the kind of -version clause: +The comparison operator (or lack thereof) determines the kind of version +clause: -* No operator: `Compatible release`_ clause +* No operator: equivalent to ``~=`` +* ``~=``: `Compatible release`_ clause * ``==``: `Version matching`_ clause * ``!=``: `Version exclusion`_ clause * ``is``: `Build reference`_ clause -* ``<``, ``>``, ``<=``, ``>=``: `Ordered comparison`_ clause +* ``<=``, ``>=``: `Inclusive ordered comparison`_ clause +* ``<``, ``>``: `Exclusive ordered comparison`_ clause -The comma (",") is equivalent to a logical **and** operator: a -candidate version must match all given version clauses in order to -match the specifier as a whole. +The comma (",") is equivalent to a logical **and** operator: a candidate +version must match all given version clauses in order to match the +specifier as a whole. Whitespace between a conditional operator and the following version identifier is optional, as is the whitespace around the commas. -When multiple candidate versions match a version specifier, the -preferred version SHOULD be the latest version as determined by the -consistent ordering defined by the standard `Version scheme`_. -Whether or not pre-releases are considered as candidate versions -SHOULD be handled as described in `Handling of pre-releases`_. +When multiple candidate versions match a version specifier, the preferred +version SHOULD be the latest version as determined by the consistent +ordering defined by the standard `Version scheme`_. Whether or not +pre-releases are considered as candidate versions SHOULD be handled as +described in `Handling of pre-releases`_. Compatible release ------------------ -A compatible release clause consists solely of a version identifier -without any comparison operator. It matches any candidate version -that is expected to be compatible with the specified version. +A compatible release clause consists of either a version identifier without +any comparison operator or else the compatible release operator ``~=`` +and a version identifier. It matches any candidate version that is expected +to be compatible with the specified version. -The specified version identifier must be in the standard format -described in `Version scheme`_. +The specified version identifier must be in the standard format described in +`Version scheme`_. -For a given release identifier ``V.N``, the compatible release clause -is approximately equivalent to the pair of comparison clauses:: +For a given release identifier ``V.N``, the compatible release clause is +approximately equivalent to the pair of comparison clauses:: >= V.N, == V.* -For example, the following version clauses are equivalent:: +For example, the following groups of version clauses are equivalent:: 2.2 + ~= 2.2 >= 2.2, == 2.* 1.4.5 + ~= 1.4.5 >= 1.4.5, == 1.4.* If a pre-release, post-release or developmental release is named in a -compatible release clause as ``V.N.suffix``, then the suffix is -ignored when determining the required prefix match:: +compatible release clause as ``V.N.suffix``, then the suffix is ignored +when determining the required prefix match:: 2.2.post3 + ~= 2.2.post3 >= 2.2.post3, == 2.* 1.4.5a4 + ~= 1.4.5a4 >= 1.4.5a4, == 1.4.* -The padding rules for release segment comparisons means that the -assumed degree of forward compatibility in a compatible release clause -can be controlled by appending additional zeroes to the version -specifier:: +The padding rules for release segment comparisons means that the assumed +degree of forward compatibility in a compatible release clause can be +controlled by appending additional zeroes to the version specifier:: 2.2.0 + ~= 2.2.0 >= 2.2.0, == 2.2.* 1.4.5.0 + ~= 1.4.5.0 >= 1.4.5.0, == 1.4.5.* Version matching ---------------- -A version matching clause includes the version matching operator -``==`` and a version identifier. +A version matching clause includes the version matching operator ``==`` +and a version identifier. -The specified version identifier must be in the standard format -described in `Version scheme`_, but a trailing ``.*`` is permitted as -described below. +The specified version identifier must be in the standard format described in +`Version scheme`_, but a trailing ``.*`` is permitted as described below. -By default, the version matching operator is based on a strict -equality comparison: the specified version must be exactly the same as -the requested version. The *only* substitution performed is the zero -padding of the release segment to ensure the release segments are -compared with the same length. +By default, the version matching operator is based on a strict equality +comparison: the specified version must be exactly the same as the requested +version. The *only* substitution performed is the zero padding of the +release segment to ensure the release segments are compared with the same +length. -Prefix matching may be requested instead of strict comparison, by -appending a trailing ``.*`` to the version identifier in the version -matching clause. This means that additional trailing segments will be -ignored when determining whether or not a version identifier matches -the clause. If the version includes only a release segment, than -trailing components in the release segment are also ignored. +Prefix matching may be requested instead of strict comparison, by appending +a trailing ``.*`` to the version identifier in the version matching clause. +This means that additional trailing segments will be ignored when +determining whether or not a version identifier matches the clause. If the +version includes only a release segment, than trailing components in the +release segment are also ignored. For example, given the version ``1.1.post1``, the following clauses would -match or not as shown: +match or not as shown:: == 1.1 # Not equal, so 1.1.post1 does not match clause == 1.1.post1 # Equal, so 1.1.post1 matches clause == 1.1.* # Same prefix, so 1.1.post1 matches clause -.. note:: +The use of ``==`` (without at least the wildcard suffix) when defining +dependencies for published distributions is strongly discouraged as it +greatly complicates the deployment of security fixes. The strict version +comparison operator is intended primarily for use when defining +dependencies for repeatable *deployments of applications* while using +a shared distribution index. - The use of ``==`` when defining dependencies for published - distributions is strongly discouraged as it greatly complicates the - deployment of security fixes. The strict version comparison - operator is intended primarily for use when defining dependencies - for repeatable *deployments of applications* while using a shared - distribution index. +Publication tools and index servers SHOULD at least emit a warning when +dependencies are pinned in this fashion and MAY refuse to allow publication +of such overly specific dependencies. Version exclusion ----------------- -A version exclusion clause includes the version matching operator -``!=`` and a version identifier. +A version exclusion clause includes the version exclusion operator ``!=`` +and a version identifier. -The allowed version identifiers and comparison semantics are the same -as those of the `Version matching`_ operator, except that the sense of -any match is inverted. +The allowed version identifiers and comparison semantics are the same as +those of the `Version matching`_ operator, except that the sense of any +match is inverted. -For example, given the version ``1.1.post1``, the following clauses -would match or not as shown: +For example, given the version ``1.1.post1``, the following clauses would +match or not as shown:: != 1.1 # Not equal, so 1.1.post1 matches clause != 1.1.post1 # Equal, so 1.1.post1 does not match clause @@ -686,58 +652,113 @@ would match or not as shown: Build reference --------------- -A build reference includes the build label matching operator ``is`` and -a build reference. - -A build reference is a direct URI reference supplied to satisfy a -dependency. The exact kinds of URIs and targets supported will be -determined by the specific installation tool used. +A build reference includes the build reference operator ``is`` and +a build label or a build URL. Publication tools and public index servers SHOULD NOT permit build references in dependency specifications. -Installation tools SHOULD support the use of build references to -identify dependencies. - -Automated tools MAY support the use of build labels in build reference -clauses. They can be clearly distinguished from URI references -without ambiguity, as ``:`` and ``/`` are not permitted in build -labels. +Installation tools SHOULD support the use of build references to identify +dependencies. Build label matching works solely on strict equality comparisons: the -candidate build label must be exactly the same as the build label in -the version clause. +candidate build label must be exactly the same as the build label in the +version clause for the clause to match the candidate distribution. + +For example, a build reference could be used to depend on a ``hashdist`` +generated build of ``zlib`` with the ``hashdist`` hash used as a build +label:: + + zlib (is d4jwf2sb2g6glprsdqfdpcracwpzujwq) + +A build URL is distinguished from a build label by the presence of +``:`` and ``/`` characters in the build reference. As these characters +are not permitted in build labels, they indicate that the reference uses +a build URL. + +Some appropriate targets for a build URL are a binary archive, a +source tarball, an sdist archive or a direct reference to a tag or +specific commit in an online version control system. The exact URLs and +targets supported will be installation tool specific. + +For example, a local prebuilt wheel file may be referenced directly:: + + exampledist (is file:///localbuilds/exampledist-1.0-py33-none-any.whl) + +All build URL references SHOULD either specify a local file URL, a secure +transport mechanism (such as ``https``) or else include an expected hash +value in the URL for verification purposes. If an insecure network +transport is specified without any hash information (or with hash +information that the tool doesn't understand), automated tools SHOULD +at least emit a warning and MAY refuse to rely on the URL. + +It is RECOMMENDED that only hashes which are unconditionally provided by +the latest version of the standard library's ``hashlib`` module be used +for source archive hashes. At time of writing, that list consists of +``'md5'``, ``'sha1'``, ``'sha224'``, ``'sha256'``, ``'sha384'``, and +``'sha512'``. + +For binary or source archive references, an expected hash value may be +specified by including a ``=`` as part of +the URL fragment. + +For version control references, the ``VCS+protocol`` scheme SHOULD be +used to identify both the version control system and the secure transport. + +To support version control systems that do not support including commit or +tag references directly in the URL, that information may be appended to the +end of the URL using the ``@`` notation. + +The use of ``is`` when defining dependencies for published distributions +is strongly discouraged as it greatly complicates the deployment of +security fixes. The build label matching operator is intended primarily +for use when defining dependencies for repeatable *deployments of +applications* while using a shared distribution index, as well as to +reference dependencies which are not published through an index server. -Ordered comparison ------------------- +Inclusive ordered comparison +---------------------------- -An ordered comparison clause includes a comparison operator and a -version identifier, and will match any version where the comparison is -correct based on the relative position of the candidate version and -the specified version given the consistent ordering defined by the -standard `Version scheme`_. +An inclusive ordered comparison clause includes a comparison operator and a +version identifier, and will match any version where the comparison is correct +based on the relative position of the candidate version and the specified +version given the consistent ordering defined by the standard +`Version scheme`_. -The supported ordered comparison operators are ``<``, ``>``, ``<=``, -``>=``. +The inclusive ordered comparison operators are ``<=`` and ``>=``. -As with version matching, the release segment is zero padded as -necessary to ensure the release segments are compared with the same -length. +As with version matching, the release segment is zero padded as necessary to +ensure the release segments are compared with the same length. -To exclude pre-releases and post-releases correctly, the comparison -clauses ``< V`` and ``> V`` MUST be interpreted as also implying the -version matching clause ``!= V.*``. + +Exclusive ordered comparison +---------------------------- + +Exclusive ordered comparisons are similar to inclusive ordered comparisons, +except that the comparison operators are ``<`` and ``>`` and the clause +MUST be effectively interpreted as implying the prefix based version +exclusion clause ``!= V.*``. + +The exclusive ordered comparison ``> V`` MUST NOT match a post-release +or maintenance release of the given version. Maintenance releases can be +permitted by using the clause ``> V.0``, while both post releases and +maintenance releases can be permitted by using the inclusive ordered +comparison ``>= V.post1``. + +The exclusive ordered comparison ``< V`` MUST NOT match a pre-release of +the given version, even if acceptance of pre-releases is enabled as +described in the section below. Handling of pre-releases ------------------------ -Pre-releases of any kind, including developmental releases, are -implicitly excluded from all version specifiers, *unless* a -pre-release or developmental release is explicitly mentioned in one of -the clauses. For example, these specifiers implicitly exclude all -pre-releases and development releases of later versions:: +Pre-releases of any kind, including developmental releases, are implicitly +excluded from all version specifiers, *unless* a pre-release or developmental +release is explicitly mentioned in one of the clauses. For example, these +specifiers implicitly exclude all pre-releases and development +releases of later versions:: 2.2 >= 1.0 @@ -751,73 +772,68 @@ While these specifiers would include at least some of them:: >= 1.0, != 1.0b2 >= 1.0, < 2.0.dev123 -Dependency resolution tools SHOULD exclude pre-releases by default, -but SHOULD also allow users to request the following alternative -behaviours: +By default, dependency resolution tools SHOULD: * accept already installed pre-releases for all version specifiers -* retrieve and install available pre-releases for all version - specifiers +* accept remotely available pre-releases for version specifiers which + include at least one version clauses that references a pre-release +* exclude all other pre-releases from consideration + +Dependency resolution tools SHOULD also allow users to request the +following alternative behaviours: + +* accepting pre-releases for all version specifiers +* excluding pre-releases for all version specifiers (reporting an error or + warning if a pre-release is already installed locally) Dependency resolution tools MAY also allow the above behaviour to be controlled on a per-distribution basis. -Post-releases and purely numeric releases receive no special treatment -- they are always included unless explicitly excluded. +Post-releases and purely numeric releases receive no special treatment in +version specifiers - they are always included unless explicitly excluded. Examples -------- -* ``3.1``: version 3.1 or later, but not version 4.0 or - later. Excludes pre-releases and developmental releases. -* ``3.1.2``: version 3.1.2 or later, but not version 3.2.0 or - later. Excludes pre-releases and developmental releases. -* ``3.1a1``: version 3.1a1 or later, but not version 4.0 or - later. Allows pre-releases like 3.2a4 and developmental releases - like 3.2.dev1. -* ``== 3.1``: specifically version 3.1 (or 3.1.0), excludes all - pre-releases, post releases, developmental releases and any 3.1.x - maintenance releases. -* ``== 3.1.*``: any version that starts with 3.1, excluding - pre-releases and developmental releases. Equivalent to the ``3.1.0`` - compatible release clause. -* ``3.1.0, != 3.1.3``: version 3.1.0 or later, but not version 3.1.3 - and not version 3.2.0 or later. Excludes pre-releases and - developmental releases. +* ``3.1``: version 3.1 or later, but not + version 4.0 or later. Excludes pre-releases and developmental releases. +* ``3.1.2``: version 3.1.2 or later, but not + version 3.2.0 or later. Excludes pre-releases and developmental releases. +* ``3.1a1``: version 3.1a1 or later, but not + version 4.0 or later. Allows pre-releases like 3.2a4 and developmental + releases like 3.2.dev1. +* ``== 3.1``: specifically version 3.1 (or 3.1.0), excludes all pre-releases, + post releases, developmental releases and any 3.1.x maintenance releases. +* ``== 3.1.*``: any version that starts with 3.1, excluding pre-releases and + developmental releases. Equivalent to the ``3.1.0`` compatible release + clause. +* ``3.1.0, != 3.1.3``: version 3.1.0 or later, but not version 3.1.3 and + not version 3.2.0 or later. Excludes pre-releases and developmental + releases. Updating the versioning specification ===================================== -The versioning specification may be updated with clarifications -without requiring a new PEP or a change to the metadata version. +The versioning specification may be updated with clarifications without +requiring a new PEP or a change to the metadata version. -Actually changing the version comparison semantics still requires a -new versioning scheme and metadata version defined in new PEPs. +Actually changing the version comparison semantics still requires a new +versioning scheme and metadata version defined in new PEPs. Open issues =========== * The new ``is`` operator seems like a reasonable way to cleanly allow - *deployments* to bring in non-published dependencies, while heavily - discouraging the practice for published libraries. However, it's a - first draft of the idea, so feedback is definitely welcome. + installation tools to bring in non-published dependencies, while heavily + discouraging the practice for published libraries. It also makes + build labels more useful by allowing them to be used to pin dependencies + in the integration use case. -* Currently, the cleanest way to specify that a project runs on Python - 2.6+ and 3.3+ is to use a clause like:: - - Requires-Python: >= 2.6, < 4.0, != 3.0.*, != 3.1.*, != 3.2.* - - It would be better if there was a cleaner way to specify "this OR - that" in a version specifier. Perhaps something like:: - - Requires-Python: (2.6) or (3.3) - - This would be a respectable increase in the complexity of the - parsing for version specifiers though, even if it was only allowed - at the top level. + However, it's an early draft of the idea, so feedback is definitely + welcome. Summary of differences from \PEP 386 @@ -825,16 +841,16 @@ Summary of differences from \PEP 386 * Moved the description of version specifiers into the versioning PEP -* added the "build label" concept to better handle projects that wish - to use a non-compliant versioning scheme internally, especially - those based on DVCS hashes +* added the "build label" concept to better handle projects that wish to + use a non-compliant versioning scheme internally, especially those based + on DVCS hashes * added the "compatible release" clause * added the "build reference" clause -* separated the two kinds of "version matching" clause (strict and - prefix) +* added the trailing wildcard syntax for prefix based version matching + and exclusion * changed the top level sort position of the ``.devN`` suffix @@ -857,111 +873,106 @@ Adding build labels ------------------- The new build label support is intended to make it clearer that the -constraints on public version identifiers are there primarily to aid -in the creation of reliable automated dependency analysis tools. -Projects are free to use whatever versioning scheme they like -internally, so long as they are able to translate it to something the -dependency analysis tools will understand. +constraints on public version identifiers are there primarily to aid in +the creation of reliable automated dependency analysis tools. Projects +are free to use whatever versioning scheme they like internally, so long +as they are able to translate it to something the dependency analysis tools +will understand. Changing the version scheme --------------------------- The key change in the version scheme in this PEP relative to that in -PEP 386 is to sort top level developmental releases like ``X.Y.devN`` -ahead of alpha releases like ``X.Ya1``. This is a far more logical -sort order, as projects already using both development releases and -alphas/betas/release candidates do not want their developmental -releases sorted in between their release candidates and their full -releases. There is no rationale for using ``dev`` releases in that -position rather than merely creating additional release candidates. +PEP 386 is to sort top level developmental releases like ``X.Y.devN`` ahead +of alpha releases like ``X.Ya1``. This is a far more logical sort order, as +projects already using both development releases and alphas/betas/release +candidates do not want their developmental releases sorted in +between their release candidates and their final releases. There is no +rationale for using ``dev`` releases in that position rather than +merely creating additional release candidates. -The updated sort order also means the sorting of ``dev`` versions is -now consistent between the metadata standard and the pre-existing -behaviour of ``pkg_resources`` (and hence the behaviour of current -installation tools). +The updated sort order also means the sorting of ``dev`` versions is now +consistent between the metadata standard and the pre-existing behaviour +of ``pkg_resources`` (and hence the behaviour of current installation +tools). -Making this change should make it easier for affected existing -projects to migrate to the latest version of the metadata standard. +Making this change should make it easier for affected existing projects to +migrate to the latest version of the metadata standard. Another change to the version scheme is to allow single number versions, similar to those used by non-Python projects like Mozilla -Firefox, Google Chrome and the Fedora Linux distribution. This is -actually expected to be more useful for version specifiers (allowing -things like the simple ``Requires-Python: 3`` rather than the more -convoluted ``Requires-Python: >= 3.0, < 4``), but it is easier to +Firefox, Google Chrome and the Fedora Linux distribution. This is actually +expected to be more useful for version specifiers, but it is easier to allow it for both version specifiers and release numbers, rather than splitting the two definitions. -The exclusion of leading and trailing whitespace was made explicit -after a couple of projects with version identifiers differing only in -a trailing ``\n`` character were found on PyPI. +The exclusion of leading and trailing whitespace was made explicit after +a couple of projects with version identifiers differing only in a +trailing ``\n`` character were found on PyPI. -The exclusion of major release numbers that looks like dates was -implied by the overall text of PEP 386, but not clear in the -definition of the version scheme. This exclusion has been made clear -in the definition of the release component. +The exclusion of major release numbers that look like dates was implied +by the overall text of PEP 386, but not clear in the definition of the +version scheme. This exclusion has been made clear in the definition of +the release component. -`Appendix A` shows detailed results of an analysis of PyPI -distribution version information, as collected on 19th February, 2013. -This analysis compares the behaviour of the explicitly ordered version -schemes defined in this PEP and PEP 386 with the de facto standard -defined by the behaviour of setuptools. These metrics are useful, as -the intent of both PEPs is to follow existing setuptools behaviour as -closely as is feasible, while still throwing exceptions for -unorderable versions (rather than trying to guess an appropriate order -as setuptools does). +`Appendix A` shows detailed results of an analysis of PyPI distribution +version information, as collected on 19th February, 2013. This analysis +compares the behaviour of the explicitly ordered version schemes defined in +this PEP and PEP 386 with the de facto standard defined by the behaviour +of setuptools. These metrics are useful, as the intent of both PEPs is to +follow existing setuptools behaviour as closely as is feasible, while +still throwing exceptions for unorderable versions (rather than trying +to guess an appropriate order as setuptools does). -Overall, the percentage of compatible distributions improves from -97.7% with PEP 386 to 98.7% with this PEP. While the number of -projects affected in practice was small, some of the affected projects -are in widespread use (such as Pinax and selenium). The surprising -ordering discrepancy also concerned developers and acted as an -unnecessary barrier to adoption of the new metadata standard, even for -projects that weren't directly affected. +Overall, the percentage of compatible distributions improves from 97.7% +with PEP 386 to 98.7% with this PEP. While the number of projects affected +in practice was small, some of the affected projects are in widespread use +(such as Pinax and selenium). The surprising ordering discrepancy also +concerned developers and acted as an unnecessary barrier to adoption of +the new metadata standard, even for projects that weren't directly affected. -The data also shows that the pre-release sorting discrepancies are -seen only when analysing *all* versions from PyPI, rather than when -analysing public versions. This is largely due to the fact that PyPI -normally reports only the most recent version for each project (unless -maintainers explicitly configure their project to display additional -versions). However, installers that need to satisfy detailed version -constraints often need to look at all available versions, as they may -need to retrieve an older release. +The data also shows that the pre-release sorting discrepancies are seen +only when analysing *all* versions from PyPI, rather than when analysing +public versions. This is largely due to the fact that PyPI normally reports +only the most recent version for each project (unless maintainers +explicitly configure their project to display additional versions). However, +installers that need to satisfy detailed version constraints often need +to look at all available versions, as they may need to retrieve an older +release. -Even this PEP doesn't completely eliminate the sorting differences -relative to setuptools: +Even this PEP doesn't completely eliminate the sorting differences relative +to setuptools: * Sorts differently (after translations): 38 / 28194 (0.13 %) * Sorts differently (no translations): 2 / 28194 (0.01 %) -The two remaining sort order discrepancies picked up by the analysis -are due to a pair of projects which have PyPI releases ending with a -carriage return, alongside releases with the same version number, only -*without* the trailing carriage return. +The two remaining sort order discrepancies picked up by the analysis are due +to a pair of projects which have PyPI releases ending with a carriage +return, alongside releases with the same version number, only *without* the +trailing carriage return. -The sorting discrepancies after translation relate mainly to -differences in the handling of pre-releases where the standard -mechanism is considered to be an improvement. For example, the -existing pkg_resources scheme will sort "1.1beta1" *after* "1.1b2", -whereas the suggested standard translation for "1.1beta1" is "1.1b1", -which sorts *before* "1.1b2". Similarly, the pkg_resources scheme -will sort "-dev-N" pre-releases differently from "devN" pre-releases -when they occur within the same release, while the scheme in this PEP -requires normalizing both representations to ".devN" and sorting them -by the numeric component. +The sorting discrepancies after translation relate mainly to differences +in the handling of pre-releases where the standard mechanism is considered +to be an improvement. For example, the existing pkg_resources scheme will +sort "1.1beta1" *after* "1.1b2", whereas the suggested standard translation +for "1.1beta1" is "1.1b1", which sorts *before* "1.1b2". Similarly, the +pkg_resources scheme will sort "-dev-N" pre-releases differently from +"devN" pre-releases when they occur within the same release, while the +scheme in this PEP requires normalizing both representations to ".devN" and +sorting them by the numeric component. A more opinionated description of the versioning scheme ------------------------------------------------------- -As in PEP 386, the primary focus is on codifying existing practices to -make them more amenable to automation, rather than demanding that -existing projects make non-trivial changes to their workflow. -However, the standard scheme allows significantly more flexibility -than is needed for the vast majority of simple Python packages (which -often don't even need maintenance releases - many users are happy with -needing to upgrade to a new feature release to get bug fixes). +As in PEP 386, the primary focus is on codifying existing practices to make +them more amenable to automation, rather than demanding that existing +projects make non-trivial changes to their workflow. However, the +standard scheme allows significantly more flexibility than is needed +for the vast majority of simple Python packages (which often don't even +need maintenance releases - many users are happy with needing to upgrade to a +new feature release to get bug fixes). For the benefit of novice developers, and for experienced developers wishing to better understand the various use cases, the specification @@ -969,57 +980,74 @@ now goes into much greater detail on the components of the defined version scheme, including examples of how each component may be used in practice. -The PEP also explicitly guides developers in the direction of semantic -versioning (without requiring it), and discourages the use of several -aspects of the full versioning scheme that have largely been included -in order to cover esoteric corner cases in the practices of existing -projects and in repackaging software for Linux distributions. +The PEP also explicitly guides developers in the direction of +semantic versioning (without requiring it), and discourages the use of +several aspects of the full versioning scheme that have largely been +included in order to cover esoteric corner cases in the practices of +existing projects and in repackaging software for Linux distributions. Describing version specifiers alongside the versioning scheme ------------------------------------------------------------- -The main reason to even have a standardised version scheme in the -first place is to make it easier to do reliable automated dependency -analysis. It makes more sense to describe the primary use case for -version identifiers alongside their definition. +The main reason to even have a standardised version scheme in the first place +is to make it easier to do reliable automated dependency analysis. It makes +more sense to describe the primary use case for version identifiers alongside +their definition. Changing the interpretation of version specifiers ------------------------------------------------- The previous interpretation of version specifiers made it very easy to -accidentally download a pre-release version of a dependency. This in +accidentally download a pre-release version of a dependency. This in turn made it difficult for developers to publish pre-release versions -of software to the Python Package Index, as even marking the package -as hidden wasn't enough to keep automated tools from downloading it, -and also made it harder for users to obtain the test release manually -through the main PyPI web interface. +of software to the Python Package Index, as even marking the package as +hidden wasn't enough to keep automated tools from downloading it, and also +made it harder for users to obtain the test release manually through the +main PyPI web interface. -The previous interpretation also excluded post-releases from some -version specifiers for no adequately justified reason. +The previous interpretation also excluded post-releases from some version +specifiers for no adequately justified reason. -The updated interpretation is intended to make it difficult to -accidentally accept a pre-release version as satisfying a dependency, -while allowing pre-release versions to be explicitly requested when -needed. +The updated interpretation is intended to make it difficult to accidentally +accept a pre-release version as satisfying a dependency, while allowing +pre-release versions to be explicitly requested when needed. The "some forward compatibility assumed" default version constraint is -taken directly from the Ruby community's "pessimistic version -constraint" operator [2]_ to allow projects to take a cautious -approach to forward compatibility promises, while still easily setting -a minimum required version for their dependencies. It is made the -default behaviour rather than needing a separate operator in order to -explicitly discourage overspecification of dependencies by library -developers. The explicit comparison operators remain available to cope -with dependencies with unreliable or non-existent backwards -compatibility policies, as well as for legitimate use cases related to -deployment of integrated applications. +taken directly from the Ruby community's "pessimistic version constraint" +operator [2]_ to allow projects to take a cautious approach to forward +compatibility promises, while still easily setting a minimum required +version for their dependencies. It is made the default behaviour rather +than needing a separate operator in order to explicitly discourage +overspecification of dependencies by library developers. The explicit +comparison operators remain available to cope with dependencies with +unreliable or non-existent backwards compatibility policies, as well +as for legitimate use cases related to deployment of integrated applications. -The two kinds of version matching (strict and prefix based) were -separated to make it possible to sensibly define the compatible -release clauses and the desired pre-release handling semantics for -``<`` and ``>`` ordered comparison clauses. +The optional explicit spelling of the compatible release clause (``~=``) is +inspired by the Ruby (``~>``) and PHP (``~``) equivalents. It is defined +in order to allow easier conversion to the legacy ``pkg_resources`` version +specifier format (which omits the parentheses, but requires a comparison +operator). + +Further improvements are also planned to the handling of parallel +installation of multiple versions of the same library, but these will +depend on updates to the installation database definition along with +improved tools for dynamic path manipulation. + +The trailing wildcard syntax to request prefix based version matching was +added to make it possible to sensibly define both compatible release clauses +and the desired pre-release handling semantics for ``<`` and ``>`` ordered +comparison clauses. + +Build references are added for two purposes. In conjunction with build +labels, they allow hash based references, such as those employed by +`hashdist `__, +or generated from version control. In conjunction with build URLs, they +allow the new metadata standard to natively support an existing feature of +``pip``, which allows arbitrary URLs like +``file:///localbuilds/exampledist-1.0-py33-none-any.whl``. References @@ -1028,18 +1056,18 @@ References The initial attempt at a standardised version scheme, along with the justifications for needing such a standard can be found in PEP 386. -.. [1] Version compatibility analysis script - (http://hg.python.org/peps/file/default/pep-0426/pepsort.py) +.. [1] Version compatibility analysis script: + http://hg.python.org/peps/file/default/pep-0426/pepsort.py .. [2] Pessimistic version constraint - (http://docs.rubygems.org/read/chapter/16) + http://docs.rubygems.org/read/chapter/16 Appendix A ========== -Metadata v2.0 guidelines versus setuptools (note that this analysis -was run when this PEP was still embedded as part of PEP 426):: +Metadata v2.0 guidelines versus setuptools (note that this analysis was +run when this PEP was still embedded as part of PEP 426):: $ ./pepsort.py Comparing PEP 426 version sort to setuptools. @@ -1110,7 +1138,6 @@ Copyright This document has been placed in the public domain. - .. Local Variables: mode: indented-text