Support for legacy register API

[di]

Currently, the legacy API provided by Warehouse does not include the ability provided by pypi-legacy to register a package name, giving a "410 Client Error: This API is no longer supported" message.

Instead, it prefers to register the package the first time a release is uploaded. Thus, it's not actually necessary to register a package name at all before attempting to make an initial release.

There are a few open issues elsewhere as a result of this:

• "410 Client Error: This API is no longer supported" during twine register pypa/twine#200
• Documentation contains an obsolete link pypa/twine#214
• Register using twine fails if following the guide pypa/packaging.python.org#263
• Remove "twine register" reference in distributing.rst pypa/packaging.python.org#271
• http://stackoverflow.com/questions/40022710/how-am-i-supposed-to-register-a-package-to-pypi

We currently have a stale PR which was attempting to add back the legacy register API: #1418

However, I see some advantages to continuing to not support this aspect of the API, namely because it's continued existence:

• Enables name squatting;
• Creates the edge case of how to display a registered package with no release (404 for registered package with no release #1388);
• Causes the occasional support request to release an unmaintained package with no releases.

And in addition, as the current Warehouse API shows, it's seemingly unnecessary.

Should we add support for legacy-style registration?

• If so, we should get WIP: Add support for legacy Register API #1418 fixed and merged;
• If not, we should update the user guide and/or twine, because it's causing confusion.

[dstufft]

I don't have a strong feeling one way or another.

I disabled it because I didn't feel a need to implement it since it's not really required and ideally people register releases by uploading projects (this will become more explicit I hope in a Upload API 2.0 which will extract details from the files that get uploaded themselves instead of along side the file).

That being said, none of my arguments against it are particularly compelling, the code to handle this is basically already written within the file upload API, that would just need to be extracted and generalized (one difference between file upload and register is that file upload only creates/updates the release if one doesn't exist, whereas register always creates/updates the release).

As an aside, this doesn't really contribute to registered packages with no releases, since it still registers a release. If we want to get rid of that particular edge case we would need to either disallow deleting the last/only release of a project or implement it so that deleting the last/only release of a project implies deletion of the entire project.

What this does enable though is for people to accidentally not upload their files but still seemingly get a release. A problem that will be less obvious in Warehouse since we purposely de-emphasize the list of files that have been uploaded by hiding them behind a tab.

[dstufft]

It might be worthwhile to poke distutils-sig to see if there is some major use case for the register functionality that I'm not remembering.

[kennethreitz]

I like this API for two reasons:

1. Name squatting :)
2. Fixing RST easily.

[ncoghlan]

Chiming in to say that I consider this a required feature, since it lets you upload the draft metadata for your first release as soon as you have a package defined (e.g. https://pypi.python.org/pypi/leappto ), even if you don't consider it to be releasable yet.

Without that, there's a potentially big time window between "good enough for GitHub" (where you're still just changing things arbitrarily without ever formally bumping the version number) and "good enough for PyPI" (where you've reached a point where you're happy to incur the additional overheads of actually pushing real releases to PyPI).

Beyond that, there are also cases where you have a reasonable claim to a name (e.g. trademarks, popular project not available through PyPI, import package name actually installed as part of a different distribution package), and want to register it yourself to avoid potential conflicts (whether inadvertent or otherwise).

[ncoghlan]

Based on the discussion starting from pypa/packaging.python.org#271 (comment) I have an updated preference here: I now think
twine register should be emulated as a no-op in Warehouse, specifically so that the following sequence of commands works the same way with both service implementations:

twine register ...
twine upload ...

The fact that in Warehouse the register is a no-op and all the work takes place in upload would then be a service implementation detail, rather than the externally visible client-breaking API discrepancy that it is now.

Once the legacy service has been decommissioned and private index servers are also following the twine behaviour of doing all the work in upload, then client scripts can start dropping the now redundant register step.

If support for pre-registration were to be added back in at some future date, it would be as a new command (e.g. twine reserve, as suggested by @dstufft), and come with related changes to the data model that allowed projects to have a provisional existence independent of any particular release.

[ncoghlan]

@dstufft raised the objection on the related PyPUG PR that silently doing nothing and then saying you did something is a major API design flaw, and while I agree in the general case, I think it's legitimate in this case due to the following:

• in the twine register && twine upload case, folks won't even notice the difference, since the requested work just moves around between the steps, rather than the total work changing
• for the standalone twine register case, folks checking for their registration on PyPI will still see that the registration didn't happen, even though twine claimed it worked. That means the error report is a debugging aid, rather than the sole indication that something unexpected may have happened.

Breaking the common case (register+upload) solely in order to make it easier to debug automation that is affected by a deliberately breaking change to the rare case (standalone register) seems like a bad design trade-off to me.

There are also mitigations that could be put in place to attempt to alert people to their now-redundant use of register through other means:

1. Add a warning that the command is now redundant to the twine client, rather than trying to provide the warning/error from the server
2. Send users an email when standalone register is used. Their automation won't break, but they'll potentially spam themselves.
3. Add a notification somewhere in the maintainer UI. Awkward, since my understanding is that many of those pages aren't in Warehouse yet, so folks instead use the legacy service, and folks with automated package management may never look at those pages anyway.
4. Add a fortnightly opt-out "Your PyPI projects" status report, and use it to notify people when their automation is using deprecated endpoints like register

While 4 might be interesting long term, I think option 1 (the client-side warning) would be the most pragmatic of those options.

[dstufft]

Before we go one way or another here, I would be interested in what @sigmavirus24's opinion is on whether Warehouse should:

A) Continue to not support the register API, meaning that twine register will always be broken on Warehouse (suggesting it should probable be deprecated and removed).
B) Support it as a no-op, which will make the command appear to work, but not actually do anything.
C) Just fully support it even though I think it is a bad feature and would rather not have it continue existing, possibly deprecating it in the future (for more discussion, view pypa/packaging.python.org#271 (comment)).

My personal preference here is (A), and then maybe implement twine reserve at some point, however I wanted to poke @sigmavirus24 because since he's maintaining twine, he's getting (and is likely to continue to get) most of the support requests for people confused by this issue.

[dstufft]

I'm going to close this, after talking it over with @sigmavirus24 and thinking about it, the path forward we're going to go is where we are now. Having the API removed in Warehouse with a possible enhancement of a pre-reservation API.