Deprecate non-PEP 625 sdist support? #13677
Description
What's the problem this feature will solve?
Hello pip maintainers!
TL;DR: I'd like to propose removing support for non-PEP 625 source distributions, as part of aligning pip (and other standard packaging infrastructure) with the packaging PEPs/living PyPA standards.
This would be a nontrivial change, and so I imagine it would require a full (and long) deprecation cycle. I've put some notes below about how I think this could be done gracefully to avoid breakage against the majority of packages currently on PyPI (which potentially have a long tail of non-PEP 625 conformance).
For additional context:
- PyPI has fully supported PEP 625 as of this past October: Support PEP 625 (Filename of a Source Distribution) pypi/warehouse#12245
Describe the solution you'd like
I'd like pip to (eventually) reject sdists that don't conform to PEP 625. That means:
- No more support for non-standard sdist archive forms (zips,
.tar.xz, etc). - Enforcing that the
{distribution}is encoded per 625 (which stipulates normalization like in the wheel spec) - Enforcing that the
{version}is a valid and normalized PEP 440 version.
These requirements are tracked in the living version of PEP 625 as well:
One significant hangup with this is the long tail of sdists on PyPI that aren't necessarily conformant: a significant number of users install via sdists, and a lot of sdists either predate PEP 625 or were uploaded to PyPI before strict enforcement.
Given that, I think a staggered deprecation cycle probably makes sense here. At a high-level (these specific timeframes may not make sense):
- Begin emitting deprecation warnings for all sdists that don't match PEP 625
- 12+ months: begin rejecting sdists that aren't valid tar+gz tarballs
- 24+ months: begin rejecting sdists that don't have valid
{distribution}-{version}schemes
The rationale for the above is that non-tar+gz sdists are probably much less common than ones with non-normalized names/versions, so it's probably fine to reject them sooner. I intend to run some statistics on a public dump of PyPI to confirm that.
Separately, it probably makes sense to have some kind of escape hatch for this behavior, e.g. for integrators who have archives that are sdist-shaped but can't be given PEP 625 filenames for whatever reason. Something like pip install --allow-invalid-sdist-name ... perhaps (that's probably not a good name, but just to show the idea).
Alternative Solutions
One alternative solution is to do nothing 🙂 -- on a basic level non-conforming sdists aren't a "big deal," since an sdist is just an archive with a build script. However, insofar as conformance with the PEPs/living PyPA standards is a long term goal for Python packaging, I think aiming to conform with this one is a good idea!
Another alternative solution is to only go part-ways here: instead of hard-rejecting invalid sdists, pip could choose to emit a warning instead (and never hard-reject). The upside to this is stability; the downside is that users will probably mostly ignore the warning.
Additional context
This piqued my interest because of astral-sh/uv#16911 -- uv (like pip) currently supports .tar.xz as well as xz-in-ZIP, despite neither being a standard-conformant distribution representation (for either sdists or wheels).
Code of Conduct
- I agree to follow the PSF Code of Conduct.