Conversation
It can happen that the filename and the dist-info `WHEEL` file mismatch, either because the author manually changed the wheel filename, or due to a bug in the build backend implementation. This caused a number of bugs in uv, which expected the `WHEEL` file to contain accurate tags in the basic `Key: Value` format: * astral-sh/uv#2149 * astral-sh/uv#6615 * astral-sh/uv#15832 * astral-sh/uv#16581 * astral-sh/uv#16823 Another notable example is ziglang/zig-pypi#40, where the author wasn't aware of the expanded tags requirement. This PR adds validation that enforces the basic `Key: Value` format, that the tags in the `WHEEL` file are expanded and that the tags match.
|
Just want to say, I think I would like this to eventually land in pypa/packaging#1009 instead, but since progress has (admittedly) been slow there, I have no problems adding support here first. |
|
For some context on the impact here, uv is basically a |
|
Here's the results for the first 50k projects from a hacky script that check the latest release for all projects: https://gist.github.com/konstin/755aead7facf690efb476b90ecee8fe7. I've split them into maturin and non-maturin, since maturin produces a lot of wheels and has since been fixed. I'll update it when i got a full run. |
|
@konstin for impact analysis reporting - something that would help contextualize the impact of this change would be adding the file's date to the output, CSV-style - so that these could be inspected relatively easily. |
Yes, thanks! |
|
Thanks @konstin - I was looking to generate some idea of how much this may impact existing upload / builders. Here's a chart where I only look at the past couple of years of uploads in the data you furnished:
Those numbers aren't as low as I'd hope/expect them to be. Slicing another way, it looks like maturin is the biggest contributor to the issue, with over 87% of all problematic uploads in the past year attributed to this generator.
... Looks like something was fixed, since the most recent error is up to maturin v1.9.6, but looks like a lot of folks are still using it, but there's a path forward for those users - upgrade maturin and keep going? For setuptools, the most recent release of 82.0.0 is reporting similar behavior - one example: https://pypi.org/project/OpenGeode-core/15.31.4rc1/#opengeode_core-15.31.4rc1-cp310-cp310-manylinux_2_28_x86_64.whl Do those users have a path forward with their tool of choice? Or will their upload be rejected without a path forward with their chosen tool? Generally speaking the code changes are fine, I'm just worried that if we ship this without having a clear answer for users impacted, it will increase failures and end user confusion. |
|
For maturin you can update, the releases should be highly compatible (at least I'm not aware of any blockers to upgrading from the issue tracker). It's kinda embarrassing that this went uncaught for so long. For the other cases, I'm not clear on whether they are actually build system bugs, or if people are manually renaming wheels and aren't are that they also have to update the |
heh, we try our best 😉
Yeah, that would make sense - if the tool generates one thing and the publishing process renames files, that would probably lead to this mismatch. So what can we offer folks in the way of understanding the problem and resolving it? Do we need to have a Pinned Issue here for a while, improve the messaging they receive from an upload failure, or something else? |
|
At least in the example provided for opengeode-core it appears to be renaming of files post build: 
I think its good to be cautious, but we cannot debug everyones builds for them preemptively. Perhaps we could have a brief window where we notify people that their builds are bad? |
|
Seems to me like this should have a deprecation period with notification via email before it becomes an outright block. |
These both seem reasonable, but I'm also curious about the infrequent publisher who hasn't published in the deprecation window hitting this would experience. Say they only publish a new version once a year. In my mind, having a GH Issue with a "you hit this error during publishing, here's a few things you can explore to resolve, like upgrade maturin past x version, stop renaming files, etc" and link the issue in the error message provides a longer-term solution that folks can use when they hit this condition to self-resolve. |
5 participants
It can happen that the filename and the dist-info
WHEELfile mismatch, either because the author manually changed the wheel filename, or due to a bug in the build backend implementation.This caused a number of bugs in uv and pip, which expected the
WHEELfile to contain accurate tags in the basicKey: Valueformat:ziglangastral-sh/uv#6615Another notable example is ziglang/zig-pypi#40, where the author wasn't aware of the expanded tags requirement.
This PR adds validation that enforces the basic
Key: Valueformat, that the tags in theWHEELfile are expanded and that the tags match.Speaking of ziglang/zig-pypi#40, pypi/support#8180 would really valuable to have, zig is an important part of the toolchain of building manylinux-compliant python packages using rust.