-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] tool.setuptools.license-files
results in invalid metadata
#4759
Comments
This is a well-known case of an early implementation of a PEP 639 draft. Right now tools are equipped to accept this variation. In time it will be fixed. But not immediately, due to effort constraints and release scheduling (we are in the process of implementing previous versions of metadata first). Probably we can close this as a "kind of duplicate" of the request to implement PEP 639. |
What I am trying to say is that tools are not equipped to accept this variation. |
@dnicolodi Is right here. The What I'm uncertain about is the solution. Sure, we can remove the |
I was thinking that twine/PyPI/pip have been accepting Just to emphasize that we are going to tackle this problem in time (btw, thanks @cdce8p for the PRs). But before that we will implement metadata version 2.3 (I just got a review recently on one of the PRs necessary for 2.3, but this week I don't have the time to delve into it). Meanwhile, my strong preference is to not change anything that has been in place for the last 2 or 3 years. If you need the process core metadata using |
I am not very familiar with all the consumers of package metadata. I have the impression that there are several tools using different approaches for metadata parsing and validation. Only relatively recently Indeed, I bumped into the issue with I was under the impression that PyPI implements validation of the distribution files metadata, but if it does, the validation is not very strict. What is validated strictly is the form data that is sent alongside the distribution files. That can be tweaked as needed to support the metadata emitted by existing setuptools releases. pip is most likely the most permissive consumer of metadata, thus I don't expect it to do any validation. I don't see any reason to change setuptools to fix this issue straight away. I filed this issue to make sure that you are aware of it. Because, as I wrote above, metadata parsing has not been very strict so far, it could have been that you are not aware of it. |
Thank you very much @dnicolodi. One thing that would help a lot is if |
meson-python and scikit-core (and possibly other build backends) use pytproject-metadata https://github.com/pypa/pyproject-metadata/ for translating There is some work toward incorporating pyproject-metadata into packaging pypa/packaging#846 pypa/packaging#847 On the other hand, I like that there are more that one implementation of the standard: that makes it easier to ensure that the only implementation does not diverge from the standard and avoids such implementation, bugs included, to become the de-facto standard. We were in that situation before PEP 517 and PEP 621, and we are still cleaning up the mess... 🙂 |
PyPI uses Saw the commit from @dnicolodi on the packaging PR: dnicolodi/twine@ab3bf7d. All considered, that's probably the most practical solution here.
Sorry in advance if I'm a bit annoying here. I can understand your position, but wouldn't fully agree with it. We can do more even before we implement metadata version
Why am I pushing for these changes? For Home Assistant we use a script to try to validate the licenses of all requirements and tbh it's just a mess. Some packages use the outdated classifiers, some custom license strings and others the full license in the metadata. I'm prepared to open PRs for some of these dependencies but it only really makes sense if I can use the final |
AFAIU However, |
Can you point me to more information regarding this? I was under the impression that |
You're right. I only checked the packaging call
For
AFAIK you can overwrite the The last comment on discuss I saw was
|
Hi guys, I understand the urgency of the topic, but I am also very conscious that we need to move very carefully to avoid breaking the ecosystem all at once. In the past we had a lot of bad experiences with botched releases, so I am trying to take the most conservative approach possible (and even with that it is possible there will be problems). The good thing is that we have most of the pieces already in place (thanks again for the PRs). We now need to coordinate to release them, collect feedback and fix if things are broken. My preference is to do things step by step and wait one week or so between steps to receive feedback of early adopters on edge cases (of course respecting the holiday season coming ahead and the times of all collaborations, so probably longer than that). I suggest the following:
I think that step 2 is going to be trivial to support, once we concede that we don't have to worry to much about the pypa/packaging#845 and treat it as a temporary bug. Footnotes
|
One last post from me and then I'll shut up and respect your decision :)
Absolutely! The only thing our opinions differ I believe is in the risk these PRs actually pose. What I'm trying to say is it's quite small and we can safely do it now. Let me explain
Doing these now would provide valuable feedback way before we'd consider moving to |
I don't want to influence the pace of introduction of new features in any way (egoistically I would like support for metadata 2.4 to land as soon as possible to be able to use it in my projects, but it would only be something nice to have) so this should not be read as supporting one position or the other, but I would like to point out that pyproject-metadata and thus meson-python have taken the approach of emitting metadata where the metadata version is set to what is required to represent faithfully the user input, namely the content of meson-python does not support any dynamic metadata fields, thus for it this means either metadata version 2.2 or 2.4. The latter is used only when I think this is the only way to proceed as pre PEP 639 and post PEP 639 license declaration formats are not compatible with each other, thus emitting metadata version 2.4 with a These PRs have more details pypa/pyproject-metadata#132 pypa/pyproject-metadata#206 |
I'm proposing the reverse: Emitting the current core metadata That approach works fine for |
I don't understand what the advantage of doing this is. IIUC, your goal is to move as fast as possible to have packages with PEP 639 metadata. However, with this approach, having packages with PEP 639 license metadata will require two releases of the packages involved: one that updated the metadata fields in The cost of doing this is not only the two releases, but also that between the two releases the involved packages will not have clear license information displayed on PyPI. IIRC, PEP 639 forbids having classifiers indicating the package license while using the |
Correct.
Updating packages always takes time. What can be optimized though is developer time. I can either fix / convert all wrong licenses to SPDX expressions now and do a second pass to convert To give an example, Just for Home Assistant, I currently track over 650 packages with inaccurate license data, no SPDX expression in either the
Not entirely. PyPI can handle all case. This is with both classifier and (old) license metadata 1 and here an example with only the (old) license metadata, but still a valid SPDX expression. 2
No, build tools MAY raise an error if a license classifier is present.3 PyPI must only reject uploads with both Footnotes |
Can't upload to PyPI using uv+setuptools until pypa/setuptools#4759 is solved, so switch to hatchling
…ue to setuptools metadata version drift See pypa/setuptools#4759
Works around pypa/setuptools#4759 by excluding license files entirely, and instead relying on getting that information from trove classifiers. This fix isn't great, but will probably be overwritten very soon by cookiecutter-snekpack switching over to uv's build backend.
Can't upload to PyPI using uv+setuptools until pypa/setuptools#4759 is solved, so switch to hatchling
I've just seen a pointer to this issue, and while I don't want to dispute the decision (IMO it's up to the setuptools maintainers to decide what's best for their users) I do want to raise a note of caution regarding the following comment from earlier in the thread:
Technically, the core metadata specification does not allow additional fields not covered by the spec - the initial paragraph says
So "early implementation" of new fields is a violation of that. While tools will often follow the "be lenient in what you consume and strict in what you produce" principle (not least because of the poor state of some historical metadata in PyPI packages) there is a risk (as we found out here) that probems could arise. The license metadata situation was (IMO) somewhat special, given that the need for a better standard was significant, and the PEP took an extremely long time to complete with very little substantial change for most of that period. But I don't think it's a good precedent to follow for future metadata field additions. |
setuptools version
setuptools==74.1.2
Python version
Python 3.13
OS
any
Additional environment information
No response
Description
If any of the the glob patterns specified in
tool.setuptools.license-files
matches a file in the package, setuptools generates invalid metadata: it includes aLicense-File
field while specifyingMetadata-Version
to be2.1
. This is invalid andpackaging
raises an exception while parsing the metadata. This likely results in the resulting distributions to not be accepted by PyPI.Because
tool.setuptools.license-files
has a default value of['LICEN[CS]E*', 'COPYING*', 'NOTICE*', 'AUTHORS*']
the problem can be encountered also in packages that do not explicitly set this field inpyproject.toml
but happen to have a file matching the default glob pattern.Expected behavior
Do not emit the
License-File
field or do it and specifyMetadata-Version: 2.4
as per PEP 639.How to Reproduce
Here is a short reproducer:
Output
The text was updated successfully, but these errors were encountered: