PEP 694: Address additional feedback #4549
Conversation
* Require that `name` conform to the normalization rules, and include a link * Require that `version` conform to the version specs, and include a link * RFC 3399 instead of ISO 8601 as the timestamp spec. The RFC is a simpler format that subsets the ISO standard, and is more appropriate to our use case. * Adjust the gentoken() algorithm to be more resistant to tomfoolery. This may still change. * Require `filename` to conform to either the source or binary distribution file name convention, and include links
* The addition of the ``Location`` header is now a **MUST**, and better worded to indicate that it can be polled in the case of a ``202 Accepted``. * Added a couple of **FIXME** tags to address removal of nonce and fleshing out the ``Errors`` section. See URLs in the text. DO NOT PROMOTE FROM DRAFT UNTIL THIS IS DONE. * Reformatted some text.
Based on discussions here: https://discuss.python.org/t/pep-694-pypi-upload-api-2-0-round-2/101483/22 clients no longer supply a nonce to influence the session token and stage URL. The calculation of these is left to the index, but language is added that if provided, they must be cryptographically unguessable, and it must be possible to calculate the stage URL from the session token.
|
I think this branch is ready for review, based on feedback from the DPO thread. |
| you can simply use the placeholder version number ``"0.0.0"``. | ||
| To do this, :ref:`create a new publishing session <publishing-session-create>`, then :ref:`publish the session | ||
| <publishing-session-completion>` without uploading any files. While the ``version`` key is required in the | ||
| JSON body of the create session request, you can simply use the placeholder version number ``"0.0.0"``. |
There was a problem hiding this comment.
Sorry that I didn't notice this before, but is "0.0.0" somewhat special here?
There was a problem hiding this comment.
Not really. It could be anything, but I think 0.0.0a0 would be better since that's unlikely to ever be used in practice. It's essentially equivalent to uploading a v0.0.0a0 empty package (metadata only) to reserve a name, which is a practice we use, although things get a little more complicated if you want an org to own the name. You essentially cannot do that programmatically, and must use the web UI. I have an idea for how to add that to PEP 694 in an index-specific way, which I'll soon update the PEP to describe.
There was a problem hiding this comment.
Proposed change:
To do this, :ref:
create a new publishing session <publishing-session-create>, then :ref:publish the session <publishing-session-completion>without uploading any files. While theversionkey is required in the
JSON body of the create session request, you can simply use a placeholder version number such as
"0.0.0a0".
There was a problem hiding this comment.
WFM. Perhaps worth noting whether you will be able to use this version in the future or not.
There was a problem hiding this comment.
That's a great question. I think not, given that the scenario described includes no uploaded artifacts. It's simply a name reservation. I don't want to make version optional or add a different workflow just for name reservation, although we could do that in the future.
nameconform to the normalization rules, and include a linkversionconform to the version specs, and include a linkfilenameto conform to either the source or binary distribution file name convention, and include links📚 Documentation preview 📚: https://pep-previews--4549.org.readthedocs.build/