[{"id":"36666933672","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":699532645,"name":"astral-sh/uv","url":"https://api.github.com/repos/astral-sh/uv"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/astral-sh/uv/issues/1595","repository_url":"https://api.github.com/repos/astral-sh/uv","labels_url":"https://api.github.com/repos/astral-sh/uv/issues/1595/labels{/name}","comments_url":"https://api.github.com/repos/astral-sh/uv/issues/1595/comments","events_url":"https://api.github.com/repos/astral-sh/uv/issues/1595/events","html_url":"https://github.com/astral-sh/uv/issues/1595","id":2140180781,"node_id":"I_kwDOKbIFZc5_kJEt","number":1595,"title":"`uv pip compile` does not include extras in output","user":{"login":"palfrey","id":38532,"node_id":"MDQ6VXNlcjM4NTMy","avatar_url":"https://avatars.githubusercontent.com/u/38532?v=4","gravatar_id":"","url":"https://api.github.com/users/palfrey","html_url":"https://github.com/palfrey","followers_url":"https://api.github.com/users/palfrey/followers","following_url":"https://api.github.com/users/palfrey/following{/other_user}","gists_url":"https://api.github.com/users/palfrey/gists{/gist_id}","starred_url":"https://api.github.com/users/palfrey/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/palfrey/subscriptions","organizations_url":"https://api.github.com/users/palfrey/orgs","repos_url":"https://api.github.com/users/palfrey/repos","events_url":"https://api.github.com/users/palfrey/events{/privacy}","received_events_url":"https://api.github.com/users/palfrey/received_events","type":"User","site_admin":false},"labels":[{"id":6573048010,"node_id":"LA_kwDOKbIFZc8AAAABh8jAyg","url":"https://api.github.com/repos/astral-sh/uv/labels/needs-decision","name":"needs-decision","color":"f095cd","default":false,"description":"Undecided if this should be done"}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":6,"created_at":"2024-02-17T15:14:40Z","updated_at":"2024-03-19T02:00:28Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"body":"If for example you run `echo \"celery[redis]\" | uv pip compile -` then the `redis` extra is correctly picked up and the extra requirements added to the output. However, the output will contain something like `celery==5.3.6`, not `celery[redis]==5.3.6` and pip-compile does the latter.\r\n\r\nuv: 0.1.3","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/1595/reactions","total_count":7,"+1":7,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/astral-sh/uv/issues/1595/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/2005604347","html_url":"https://github.com/astral-sh/uv/issues/1595#issuecomment-2005604347","issue_url":"https://api.github.com/repos/astral-sh/uv/issues/1595","id":2005604347,"node_id":"IC_kwDOKbIFZc53ixf7","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-03-19T02:00:26Z","updated_at":"2024-03-19T02:00:26Z","author_association":"NONE","body":"One datapoint from me:\r\n[`rules_python`](https://github.com/bazelbuild/rules_python) (a set of bazel build rules for python), presently supports `pip-tools compiled` lockfiles and it relies on the extras format for constructing the transitive dependency graph. It's possible we will eventually migrate to other other formats (or a standard lockfile if that ever materializes), but in the interim, we would be unable to support `uv` users (or even directly integrate with `uv`) without a flag to enable these extra annotations. From a rules_python maintainer POV, we don't mind if they're stripped by default, but it would help a lot of existing users if they could use `--no-strip-extras` to continue using their locking workflows with bazel, while swapping to `uv` instead of `pip-tools`.","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/2005604347/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-03-19T02:00:28Z","org":{"id":115962839,"login":"astral-sh","gravatar_id":"","url":"https://api.github.com/orgs/astral-sh","avatar_url":"https://avatars.githubusercontent.com/u/115962839?"}},{"id":"36615514532","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":699532645,"name":"astral-sh/uv","url":"https://api.github.com/repos/astral-sh/uv"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/astral-sh/uv/issues/1530","repository_url":"https://api.github.com/repos/astral-sh/uv","labels_url":"https://api.github.com/repos/astral-sh/uv/issues/1530/labels{/name}","comments_url":"https://api.github.com/repos/astral-sh/uv/issues/1530/comments","events_url":"https://api.github.com/repos/astral-sh/uv/issues/1530/events","html_url":"https://github.com/astral-sh/uv/issues/1530","id":2139283254,"node_id":"I_kwDOKbIFZc5_gt82","number":1530,"title":"`uv pip compile` updates hashes in lockfile without `--upgrade`","user":{"login":"hauntsaninja","id":12621235,"node_id":"MDQ6VXNlcjEyNjIxMjM1","avatar_url":"https://avatars.githubusercontent.com/u/12621235?v=4","gravatar_id":"","url":"https://api.github.com/users/hauntsaninja","html_url":"https://github.com/hauntsaninja","followers_url":"https://api.github.com/users/hauntsaninja/followers","following_url":"https://api.github.com/users/hauntsaninja/following{/other_user}","gists_url":"https://api.github.com/users/hauntsaninja/gists{/gist_id}","starred_url":"https://api.github.com/users/hauntsaninja/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/hauntsaninja/subscriptions","organizations_url":"https://api.github.com/users/hauntsaninja/orgs","repos_url":"https://api.github.com/users/hauntsaninja/repos","events_url":"https://api.github.com/users/hauntsaninja/events{/privacy}","received_events_url":"https://api.github.com/users/hauntsaninja/received_events","type":"User","site_admin":false},"labels":[],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":1,"created_at":"2024-02-16T19:25:30Z","updated_at":"2024-03-17T01:48:36Z","closed_at":null,"author_association":"CONTRIBUTOR","active_lock_reason":null,"body":"pip-compile does not do this. I think this also undermines one of the two main security benefits of hashes in lock files (that it helps with the fact PyPI releases are open-ended)\r\n\r\nRepro details:\r\n\r\n\r\n\r\nr.in\r\n```\r\npyzstd==0.15.9\r\n```\r\nr.txt\r\n```\r\npyzstd==0.15.9 \\\r\n --hash=sha256:00c188704141c709da96cc4a79f058d51f5318e839d6f904c7cc9badcf78e98e \\\r\n --hash=sha256:013321ddaff083b24e43a8b06303446771978343b488ed73adf56c70a46e2783 \\\r\n --hash=sha256:0a4334e972109bdd17fb40dbdd9fcca6137648cab416fca505a2dcd186f50533 \\\r\n --hash=sha256:12668ceb8329aaa908b4d907d3a77bb748ff28b309c3b105c995a8715d535d2b \\\r\n --hash=sha256:14121a4d95070f54bdc9a80dab1dd8fd9093907a1e687926447ca69b5b40a4d5 \\\r\n --hash=sha256:1b9cda5314982d64c856f9298be0d9bf69fbff0ca514d1651037616354b473ff \\\r\n --hash=sha256:1cbf212253abd65e6451acdfb608adafe98ad8f05462fb9a054ddab816545caa \\\r\n --hash=sha256:1dbe76b6d8fe75f6dbec24793fc07b1d1ae9464de9941138d5b9668f7670e6b0 \\\r\n --hash=sha256:209a92fbe892bd69cde58ffcb4861468e2c3c2d0626763e16e122bb55cb1fb1a \\\r\n --hash=sha256:20f2dd56d46441cd9277077060c34c0b9ce3469412665ea5ccd506dd2708d994 \\\r\n --hash=sha256:23695dabdfd5081beab25754dc0105b42fbd2085a7c293901bcb45045969c5ec \\\r\n --hash=sha256:250dad90140a6faea4cef555f339b6ceaad5cf03ed1127b8d06de214ff0db2e7 \\\r\n --hash=sha256:289e25871fe232d2482c0985a75a1faa7c92e10a6c3e3914d165f62d005d0aa6 \\\r\n --hash=sha256:2919afd114fd12309ed2f831ef6e95730ebf13c2a92d258ad055769d00ef4d7a \\\r\n --hash=sha256:29e452caaf0de9cc17319225921d8c28cdc7a879948e990ff1e7735e7f976517 \\\r\n --hash=sha256:305c232462dbe80d0ee5ec91b1b0ec9153ec6ba6393d5348741af5d30b07ef52 \\\r\n --hash=sha256:31f60f01884350aec24e7a68f3ad089151b7a636490203c41a1a7c8e0cddd9b8 \\\r\n --hash=sha256:3351ad2feb51dcbb936defd47cab00d6f114214f224636503ed08298f30164c9 \\\r\n --hash=sha256:346f835e368e1051f8ea187ad9b49759cf6249c9ebf2f2a3861e435a568104b8 \\\r\n --hash=sha256:370b34a7c2f9c53cee494028daa5a7264690e1756a89c3855fd0be5ad298ec30 \\\r\n --hash=sha256:3a26df749589d898cd3253d2139eb85b867ddffc49286059c8bdb3cb9ce9b545 \\\r\n --hash=sha256:3bc0e7e2cccf78e562ab416daf68448b6552a5b6450a1ff3e15cabfc19254883 \\\r\n --hash=sha256:3f0fe2ef7ebc6e9b347585e414c4fefd32270ba8bdf9eb82496f3030cbdca465 \\\r\n --hash=sha256:3f72f310b10b730cddfb654006ae497e7706c81e6a7642d3da7fd2439df7d88d \\\r\n --hash=sha256:40bdb468281a5cd525e2e990b97344f0974e0589bd1b395501c25471fcd7edda \\\r\n --hash=sha256:4358dd80b315c82d760b44c6df7857c9c898d04e7b0c14abb0eb3692354e9379 \\\r\n --hash=sha256:441078bfd3b508597415338af667c3575980364f1286eedde58291558b9c2832 \\\r\n --hash=sha256:47c2a4c319300c381f194274203f47b12c433e1fd86b90ecdc7fb258c630f93b \\\r\n --hash=sha256:49c57ae18f138a4b66480b2364fe6a0f2345ada919e93fc729c95c6b17ec73a4 \\\r\n --hash=sha256:4a0dcb32ac4d1d67a77ae6a2d60ea0921af7e682b3427202d8acb8e86642391c \\\r\n --hash=sha256:4ed01beb31d5177456ec2c4b66591a0df83dbc72df29f05f40502bfefe47bbe4 \\\r\n --hash=sha256:50ccbaafee80b4f1c5c55bbe07f80871b9b8fe3499bf7357dde2c23fb1c2ac0e \\\r\n --hash=sha256:51607d7d44f94a364ef0e3ccf9a92390def0faf6e7572eef082f15c657b5d03a \\\r\n --hash=sha256:5345c7a697327e2fa7c37534bb2968ea84595d8ec7fc8c4a60216ec1be6e65bd \\\r\n --hash=sha256:542808d88464d538f5d2c6b48b545a7fe15f0d20c7fa703b469d039a08c9fa10 \\\r\n --hash=sha256:5819d502dacd54114c30bc24efcb76e723b93f8f528be70851056a396a792c46 \\\r\n --hash=sha256:5aed5fc86d0bfc5f16e871cbb35ec93df61476d7fde4c1c6081015a075ecfbc1 \\\r\n --hash=sha256:5d9ec8634ab0cbfbcff535ac07555ebdae0282ad66762f0471fad11c16181e33 \\\r\n --hash=sha256:5fb00c706d0b59c53124f982bd84b7d46866a8ea2a7670aaaa1ab4dbe6001b50 \\\r\n --hash=sha256:5fd7cf79949174d1018b896638f88aea1ff2a969f87a6199ea23b25b506e26c5 \\\r\n --hash=sha256:606b2452d78f0f731566d392f8d83cd012c2ffadb2cb2e2903fdd360c1faac8a \\\r\n --hash=sha256:6128cb653d011f3781554b70ce1f1f388cd516820fbaf8fd03ee245ecaa48349 \\\r\n --hash=sha256:639935b5b3d9ed3911493504581254b76cb578279302f7f340924ac5bfca4090 \\\r\n --hash=sha256:64564f4c175c5bb8e744de5816d69ee0b940e472160a5e665f30adc412b694f3 \\\r\n --hash=sha256:69f12ce4866a3725138e97f22f2c4cb21d3ae18cd422906cd57ed12a9ffd86c5 \\\r\n --hash=sha256:6a60ee6836599363a24367cf780ad45446b07eba49ec72d19bad761d5414aca7 \\\r\n --hash=sha256:6b9af8d62c087354abd071e01d9445ea51b31779c8a4a0d5c14ee12caee3d18f \\\r\n --hash=sha256:6c456882baab2a48a5bfabe458a557af25d0768ff29acbe200461e84c0f697d5 \\\r\n --hash=sha256:6f281cc2f096530c339f122e0d9866545f5592dd9bffe0fade565c2771130a45 \\\r\n --hash=sha256:73877eebbdcb8259cf0099665f8c8274d4273b361371405a611fb6bd9f4d64f6 \\\r\n --hash=sha256:74455bd918e7bc9883e3178a1a8fe796308670f0ee4488c80a0d9514e13807a1 \\\r\n --hash=sha256:7452ae7e6d80e697d78d3f56d1b4d2a350286eea229afb35f55ab88b934b6acd \\\r\n --hash=sha256:77294f0f797c97a46ffb3daff1fe097c9d5aa9f96867333978e6791286963e50 \\\r\n --hash=sha256:7ac886e04f253960ae82e38ded8352085c61d78de99412d178a94ecf475b5e5f \\\r\n --hash=sha256:7c420878726d677da7484f6021dbe7e1f9345a791b155de632c6ce36678fb621 \\\r\n --hash=sha256:836f1d85a4b5d3689d455aeb1dc6c42acb96aaf8e5282825c00ccf2545ad5630 \\\r\n --hash=sha256:84aa6eecba967bdac167451501dcaceec548d8b8c4ca7fa41ceda4dbfc279297 \\\r\n --hash=sha256:866ba6ce85f337fa1677516217b6f10fc25e19acb6e17a501d5822e66396bdd5 \\\r\n --hash=sha256:86e0e65e205793b337d62d9764700dfd02b5f83b01e26ad345736e7ac0554ebd \\\r\n --hash=sha256:87a1a4ca93da414f3b6da8131e61aca6d48a4e837fb0b1cbde05ae9d13332317 \\\r\n --hash=sha256:8d3a1b6fa71a0ae7abc320d9db91b5a96a71eef1dbee0d62a6232b71c97af962 \\\r\n --hash=sha256:8f9eb97fb6fd4551ff9d5012b4fcee9abeea9c8af6b9e3ebc3c76cc2bd0a43a7 \\\r\n --hash=sha256:91453ce9476363d777b2ea2e9c6dccecd2073cf35697e048de2e8d47e1f36c7c \\\r\n --hash=sha256:9596aeb8c71192f4fba1ca25cec420da195219398d2df811d5082559efd9561f \\\r\n --hash=sha256:960ab83a977a44284c4ffab2820ccd6c9b332571a3d622fefa4b29b0a5de72b0 \\\r\n --hash=sha256:97e05f66c5847e6889594508298d78ddb84a0115e9234d598415dc5a06d3a4a7 \\\r\n --hash=sha256:9ac634753f6d26cba503cea7bb5b350aec7c5366f44fa68c79e9c90be9fd0ebc \\\r\n --hash=sha256:9e1097d8b57f64878a3f176f4cd6b9a1bbe9fb2d236f1a85a4357722626d8f25 \\\r\n --hash=sha256:a1b81cc86b69ff530d45e735ed479e14704999f534ad28a39f04be4a8fe2b91f \\\r\n --hash=sha256:a4f786f1b1ab39a0908db04ebe5b2c7cbc6f1ce07a27d3a12eb980bffd7fea7d \\\r\n --hash=sha256:a594795ef89bd83297c860ff585f2d25580ce9805eb9cc44c831d311e7f1951a \\\r\n --hash=sha256:a708b9e6ff1826504940beb6b5c2c9dfd4e3b55c16ab88a4572f5b9dbb64cc56 \\\r\n --hash=sha256:a90b901ccfd24b028faea19c927ff03f3cfefe82ba0b931fbb8da4ef0664911b \\\r\n --hash=sha256:ae3d0575721a372c20130681bfaf873225fd9e1c290b7d56b7e0c14f413318f6 \\\r\n --hash=sha256:afef9eb882cf3b395eef9c85b737a4acd09528975e6a5d9faedf28874ca65f52 \\\r\n --hash=sha256:aff1b469187f6c789cdf17cd95c9b24e87396dc86953b1cf38b9a05cea873c80 \\\r\n --hash=sha256:b2ae8993f3863632d31ca8921c8a5dc9ecc5551c7b88895cefb5a26d17643391 \\\r\n --hash=sha256:b2dd39e12f7467a7422ce50711524759d4d22016714cbae6a7096b954bc2fa32 \\\r\n --hash=sha256:b4de7741d542a477387299bf9450e8be3e768c352d6b3438254eb02af1e59462 \\\r\n --hash=sha256:b5b517fbbc5d223fc36041673e7c2a0d3a82be6a5464a5f0599069330b76f97d \\\r\n --hash=sha256:bdc09de97b1b3f6c3d87fec04d6fe29dd4fefe6b354ad2d822fc369b8aa0942b \\\r\n --hash=sha256:c249741b10eb714578d765487b767e0e7fcc2ac84a299209a6073566e730dbea \\\r\n --hash=sha256:c2b093a74b10232c70b5d29814fcee6544bb6f30e2d922d26db9ab4b4cd00c04 \\\r\n --hash=sha256:c31f6dd5bd60688d51487a3f5e2ae29ed1948926e44d7a2316b193b083f80d5d \\\r\n --hash=sha256:c41e5457f4de5d38a270bc44619873589bbe6fe251225deec583ed20199df0f3 \\\r\n --hash=sha256:c46e77c2ad614a0399503dc675d72436cbf6332a20d49a0e5bad03058d6cbfad \\\r\n --hash=sha256:c9589cb79d4e401630481755c92b072aa7ba5505ec81dec865ef43932ec037e4 \\\r\n --hash=sha256:ca19213785f864781848e0216cba07e97f563f60a50bbc7885b54461d8c64873 \\\r\n --hash=sha256:cbfdde6c5768ffa5d2f14127bbc1d7c3c2d03c0ceaeb0736946197e06275ccc7 \\\r\n --hash=sha256:cd6a8d43a0c294918e3afb7e4b1d8c04d2e4c3ea9ddf05475fdaf366c7e5b3a6 \\\r\n --hash=sha256:cffaab46f9e04856dc3daa6097bfb3d3bea0b1771237e869c57b13f3dcc2c238 \\\r\n --hash=sha256:d0929302d187bfeca335b7f710f774f1b2ea3f610b2a80e8a1ac2da216cd9766 \\\r\n --hash=sha256:d44a7d4586f02b630658298c089ff755e74d0677b93c71e09d33dd35bdd4987a \\\r\n --hash=sha256:d7ddbf234c9adc72189bb552d830e9a0c2c4401b5baf7b003eacd5c552ddcc00 \\\r\n --hash=sha256:dca286c6c1ca5febf13f5f2ae7e8aa7536e49bd07f4232796651a43ff741ceca \\\r\n --hash=sha256:dcb2172ca8b62f82af9d1f8db80c21c64c5ba3991935caefde88bb378f0afb51 \\\r\n --hash=sha256:e4e00c1600022b47ef0e9e1f893cb0c2322209ec6c1581a3e3f63ed78330ddf0 \\\r\n --hash=sha256:e789e19095b818f7126180b4387c0f01700c3ad2378a4e7649b2ddf4bf47ffbc \\\r\n --hash=sha256:e79babb67b415aa54abb213897ceaa011515a5f3e146a2a97f4e6486b9743af4 \\\r\n --hash=sha256:e8f75e839ee253af60b03d9957182fdd069dfaebb62b4e999bd74016f4e120bb \\\r\n --hash=sha256:e9934277abdddf9c733267e4dcc4886de8a3302d28f390237d447e215e8ce47d \\\r\n --hash=sha256:ef3399e0544b46d31c2a8ff14ae1fb3c3571ae1153bbbc5ddf0d242c67bde624 \\\r\n --hash=sha256:f169e166774587227255f6ffe71f5b3303ea73cde0e2c6d52e53b9e12c03d787 \\\r\n --hash=sha256:f1d8b58f00137ccbe8b828a5ede92be3f0115cef75e6bed88d4d0bd1e7a0b1fc \\\r\n --hash=sha256:f2839c13e486e4a23b19b1d2dc4624565cec6c228bbf803c066be1106515966b \\\r\n --hash=sha256:f66790e4b2dcfcabc0aa54dd89317ea5671cabf06aa93cbef7cbdd4d2fdb7ee3 \\\r\n --hash=sha256:f6d8a881b50bb2015e9bdba5edb0331e85d41ff44ab33cde551047480b98d748 \\\r\n --hash=sha256:f7cfc683d320402d61205a196ace77f15dcfd16b5771f8b9ffaf406868c98e78 \\\r\n --hash=sha256:f9c5fc29a5b9d61a8f0a3494172107e0e6cf23d0cb800d6285c6722ba7fc3535 \\\r\n --hash=sha256:fc92a718bccb8ce5c9eb63fca743c38f3fa4c4e47f58f0c4ada51b2474668184\r\n```\r\n\r\n`pip-compile --no-header --no-annotate r.in -o r.txt --generate-hashes` will not add any new hashes, but `uv pip compile` will\r\n\r\n ","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/1530/reactions","total_count":3,"+1":3,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/astral-sh/uv/issues/1530/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/2002266486","html_url":"https://github.com/astral-sh/uv/issues/1530#issuecomment-2002266486","issue_url":"https://api.github.com/repos/astral-sh/uv/issues/1530","id":2002266486,"node_id":"IC_kwDOKbIFZc53WCl2","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-03-17T01:48:36Z","updated_at":"2024-03-17T01:48:36Z","author_association":"NONE","body":"This also causes issues with CI checks that check that locks are in sync with requirements.in\r\n\r\nEssentially, if an open ended release occurs, CI checks that were previously passing begin to fail. This can cause confusion. ","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/2002266486/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-03-17T01:48:37Z","org":{"id":115962839,"login":"astral-sh","gravatar_id":"","url":"https://api.github.com/orgs/astral-sh","avatar_url":"https://avatars.githubusercontent.com/u/115962839?"}},{"id":"36505484327","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":32181539,"name":"pypa/flit","url":"https://api.github.com/repos/pypa/flit"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/pypa/flit/issues/676","repository_url":"https://api.github.com/repos/pypa/flit","labels_url":"https://api.github.com/repos/pypa/flit/issues/676/labels{/name}","comments_url":"https://api.github.com/repos/pypa/flit/issues/676/comments","events_url":"https://api.github.com/repos/pypa/flit/issues/676/events","html_url":"https://github.com/pypa/flit/pull/676","id":2178158630,"node_id":"PR_kwDOAesNI85pMPfd","number":676,"title":"Implement Metadata 2.3","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"labels":[],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":2,"created_at":"2024-03-11T03:34:42Z","updated_at":"2024-03-13T10:20:18Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"draft":false,"pull_request":{"url":"https://api.github.com/repos/pypa/flit/pulls/676","html_url":"https://github.com/pypa/flit/pull/676","diff_url":"https://github.com/pypa/flit/pull/676.diff","patch_url":"https://github.com/pypa/flit/pull/676.patch","merged_at":null},"body":"[PEP 643](https://peps.python.org/pep-0643/) introduces Metadata 2.2, where fields can either be static (default) or marked as dynamic. \r\n[PEP 685](https://peps.python.org/pep-0685/) introduces Metadata 2.3, that specifies how to normalize extra names.\r\n\r\nThis PR bumps the Metadata version to 2.3. `flit` has always written and published static metadata in both wheel `METADATA` and sdist `PKG-INFO` and therefore this PR does not intend to add new support for recording dynamic metadata into distributions. This should not be confused with the `dynamic` metadata in the pyproject.toml files, which are dynamic in flit and remain supported (PEP 621).\r\n\r\nUpgrading to the newer Core Metadata standards has advantages for the python packaging ecosystem. It makes it possible for resolvers to read metadata directly without a PEP 517 invocation, which can bring large speedups.\r\n\r\nTowards: https://github.com/pypa/flit/issues/675","reactions":{"url":"https://api.github.com/repos/pypa/flit/issues/676/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/pypa/flit/issues/676/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/pypa/flit/issues/comments/1994040310","html_url":"https://github.com/pypa/flit/pull/676#issuecomment-1994040310","issue_url":"https://api.github.com/repos/pypa/flit/issues/676","id":1994040310,"node_id":"IC_kwDOAesNI8522qP2","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-03-13T10:20:17Z","updated_at":"2024-03-13T10:20:17Z","author_association":"NONE","body":"I've added some test cases. I believe that this is now ready for review.","reactions":{"url":"https://api.github.com/repos/pypa/flit/issues/comments/1994040310/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-03-13T10:20:19Z","org":{"id":647025,"login":"pypa","gravatar_id":"","url":"https://api.github.com/orgs/pypa","avatar_url":"https://avatars.githubusercontent.com/u/647025?"}},{"id":"36505437687","type":"PushEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":770091332,"name":"groodt/flit","url":"https://api.github.com/repos/groodt/flit"},"payload":{"repository_id":770091332,"push_id":17520890671,"size":1,"distinct_size":1,"ref":"refs/heads/groodt-metadata-23","head":"0dceb805ed1c744287344a73f327764e2ce6b5dc","before":"547cd61f46c1cfd855ee2b45ef7135f9e636bdae","commits":[{"sha":"0dceb805ed1c744287344a73f327764e2ce6b5dc","author":{"email":"groodt@gmail.com","name":"Greg Roodt"},"message":".","distinct":true,"url":"https://api.github.com/repos/groodt/flit/commits/0dceb805ed1c744287344a73f327764e2ce6b5dc"}]},"public":true,"created_at":"2024-03-13T10:19:02Z"},{"id":"36505163604","type":"PushEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":770091332,"name":"groodt/flit","url":"https://api.github.com/repos/groodt/flit"},"payload":{"repository_id":770091332,"push_id":17520758295,"size":1,"distinct_size":1,"ref":"refs/heads/groodt-metadata-23","head":"547cd61f46c1cfd855ee2b45ef7135f9e636bdae","before":"d7d1839275ec278d01faa95c68b74f18c984957b","commits":[{"sha":"547cd61f46c1cfd855ee2b45ef7135f9e636bdae","author":{"email":"groodt@gmail.com","name":"Greg Roodt"},"message":".","distinct":true,"url":"https://api.github.com/repos/groodt/flit/commits/547cd61f46c1cfd855ee2b45ef7135f9e636bdae"}]},"public":true,"created_at":"2024-03-13T10:11:23Z"},{"id":"36452014966","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":32181539,"name":"pypa/flit","url":"https://api.github.com/repos/pypa/flit"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/pypa/flit/issues/676","repository_url":"https://api.github.com/repos/pypa/flit","labels_url":"https://api.github.com/repos/pypa/flit/issues/676/labels{/name}","comments_url":"https://api.github.com/repos/pypa/flit/issues/676/comments","events_url":"https://api.github.com/repos/pypa/flit/issues/676/events","html_url":"https://github.com/pypa/flit/pull/676","id":2178158630,"node_id":"PR_kwDOAesNI85pMPfd","number":676,"title":"Implement Metadata 2.3","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"labels":[],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":1,"created_at":"2024-03-11T03:34:42Z","updated_at":"2024-03-11T21:48:03Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"draft":false,"pull_request":{"url":"https://api.github.com/repos/pypa/flit/pulls/676","html_url":"https://github.com/pypa/flit/pull/676","diff_url":"https://github.com/pypa/flit/pull/676.diff","patch_url":"https://github.com/pypa/flit/pull/676.patch","merged_at":null},"body":"[PEP 643](https://peps.python.org/pep-0643/) introduces Metadata 2.2, where fields can either be static (default) or marked as dynamic. \r\n[PEP 685](https://peps.python.org/pep-0685/) introduces Metadata 2.3, that specifies how to normalize extra names.\r\n\r\nThis PR bumps the Metadata version to 2.3. `flit` has always written and published static metadata in both wheel `METADATA` and sdist `PKG-INFO` and therefore this PR does not intend to add new support for recording dynamic metadata into distributions. This should not be confused with the `dynamic` metadata in the pyproject.toml files, which are dynamic in flit and remain supported (PEP 621).\r\n\r\nUpgrading to the newer Core Metadata standards has advantages for the python packaging ecosystem. It makes it possible for resolvers to read metadata directly without a PEP 517 invocation, which can bring large speedups.\r\n\r\nTowards: https://github.com/pypa/flit/issues/675\r\n\r\n
\r\n\r\nNotes for reviewers:\r\n* I'm not sure if I'm over normalising the `Requires-Dist` field. I think it should be possible to run that regex over the field without parsing out the extras, but let me know if not\r\n* I can add some tests if necessary, let me know which tests you'd like to see\r\n* Thanks for all your work on flit over the years\r\n","reactions":{"url":"https://api.github.com/repos/pypa/flit/issues/676/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/pypa/flit/issues/676/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/pypa/flit/issues/comments/1989504481","html_url":"https://github.com/pypa/flit/pull/676#issuecomment-1989504481","issue_url":"https://api.github.com/repos/pypa/flit/issues/676","id":1989504481,"node_id":"IC_kwDOAesNI852lW3h","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-03-11T21:48:02Z","updated_at":"2024-03-11T21:48:02Z","author_association":"NONE","body":"Thinking about this more, I think I’m definitely over normalizing Requires-Dist if there are any markers. I’ll find some time to change it so that it only normalizes any extras. ","reactions":{"url":"https://api.github.com/repos/pypa/flit/issues/comments/1989504481/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-03-11T21:48:03Z","org":{"id":647025,"login":"pypa","gravatar_id":"","url":"https://api.github.com/orgs/pypa","avatar_url":"https://avatars.githubusercontent.com/u/647025?"}},{"id":"36419229910","type":"PushEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":770091332,"name":"groodt/flit","url":"https://api.github.com/repos/groodt/flit"},"payload":{"repository_id":770091332,"push_id":17479039778,"size":1,"distinct_size":1,"ref":"refs/heads/groodt-metadata-23","head":"d7d1839275ec278d01faa95c68b74f18c984957b","before":"11e33dbad2fc20b93561e0e2270d7f066909f2fb","commits":[{"sha":"d7d1839275ec278d01faa95c68b74f18c984957b","author":{"email":"groodt@gmail.com","name":"Greg Roodt"},"message":".","distinct":true,"url":"https://api.github.com/repos/groodt/flit/commits/d7d1839275ec278d01faa95c68b74f18c984957b"}]},"public":true,"created_at":"2024-03-11T03:35:33Z"},{"id":"36419218336","type":"PullRequestEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":32181539,"name":"pypa/flit","url":"https://api.github.com/repos/pypa/flit"},"payload":{"action":"opened","number":676,"pull_request":{"url":"https://api.github.com/repos/pypa/flit/pulls/676","id":1764816861,"node_id":"PR_kwDOAesNI85pMPfd","html_url":"https://github.com/pypa/flit/pull/676","diff_url":"https://github.com/pypa/flit/pull/676.diff","patch_url":"https://github.com/pypa/flit/pull/676.patch","issue_url":"https://api.github.com/repos/pypa/flit/issues/676","number":676,"state":"open","locked":false,"title":"Implement Metadata 2.3","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"body":"See: https://peps.python.org/pep-0685/","created_at":"2024-03-11T03:34:42Z","updated_at":"2024-03-11T03:34:42Z","closed_at":null,"merged_at":null,"merge_commit_sha":null,"assignee":null,"assignees":[],"requested_reviewers":[],"requested_teams":[],"labels":[],"milestone":null,"draft":true,"commits_url":"https://api.github.com/repos/pypa/flit/pulls/676/commits","review_comments_url":"https://api.github.com/repos/pypa/flit/pulls/676/comments","review_comment_url":"https://api.github.com/repos/pypa/flit/pulls/comments{/number}","comments_url":"https://api.github.com/repos/pypa/flit/issues/676/comments","statuses_url":"https://api.github.com/repos/pypa/flit/statuses/11e33dbad2fc20b93561e0e2270d7f066909f2fb","head":{"label":"groodt:groodt-metadata-23","ref":"groodt-metadata-23","sha":"11e33dbad2fc20b93561e0e2270d7f066909f2fb","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"repo":{"id":770091332,"node_id":"R_kgDOLeapRA","name":"flit","full_name":"groodt/flit","private":false,"owner":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"html_url":"https://github.com/groodt/flit","description":"Simplified packaging of Python modules","fork":true,"url":"https://api.github.com/repos/groodt/flit","forks_url":"https://api.github.com/repos/groodt/flit/forks","keys_url":"https://api.github.com/repos/groodt/flit/keys{/key_id}","collaborators_url":"https://api.github.com/repos/groodt/flit/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/groodt/flit/teams","hooks_url":"https://api.github.com/repos/groodt/flit/hooks","issue_events_url":"https://api.github.com/repos/groodt/flit/issues/events{/number}","events_url":"https://api.github.com/repos/groodt/flit/events","assignees_url":"https://api.github.com/repos/groodt/flit/assignees{/user}","branches_url":"https://api.github.com/repos/groodt/flit/branches{/branch}","tags_url":"https://api.github.com/repos/groodt/flit/tags","blobs_url":"https://api.github.com/repos/groodt/flit/git/blobs{/sha}","git_tags_url":"https://api.github.com/repos/groodt/flit/git/tags{/sha}","git_refs_url":"https://api.github.com/repos/groodt/flit/git/refs{/sha}","trees_url":"https://api.github.com/repos/groodt/flit/git/trees{/sha}","statuses_url":"https://api.github.com/repos/groodt/flit/statuses/{sha}","languages_url":"https://api.github.com/repos/groodt/flit/languages","stargazers_url":"https://api.github.com/repos/groodt/flit/stargazers","contributors_url":"https://api.github.com/repos/groodt/flit/contributors","subscribers_url":"https://api.github.com/repos/groodt/flit/subscribers","subscription_url":"https://api.github.com/repos/groodt/flit/subscription","commits_url":"https://api.github.com/repos/groodt/flit/commits{/sha}","git_commits_url":"https://api.github.com/repos/groodt/flit/git/commits{/sha}","comments_url":"https://api.github.com/repos/groodt/flit/comments{/number}","issue_comment_url":"https://api.github.com/repos/groodt/flit/issues/comments{/number}","contents_url":"https://api.github.com/repos/groodt/flit/contents/{+path}","compare_url":"https://api.github.com/repos/groodt/flit/compare/{base}...{head}","merges_url":"https://api.github.com/repos/groodt/flit/merges","archive_url":"https://api.github.com/repos/groodt/flit/{archive_format}{/ref}","downloads_url":"https://api.github.com/repos/groodt/flit/downloads","issues_url":"https://api.github.com/repos/groodt/flit/issues{/number}","pulls_url":"https://api.github.com/repos/groodt/flit/pulls{/number}","milestones_url":"https://api.github.com/repos/groodt/flit/milestones{/number}","notifications_url":"https://api.github.com/repos/groodt/flit/notifications{?since,all,participating}","labels_url":"https://api.github.com/repos/groodt/flit/labels{/name}","releases_url":"https://api.github.com/repos/groodt/flit/releases{/id}","deployments_url":"https://api.github.com/repos/groodt/flit/deployments","created_at":"2024-03-10T22:06:52Z","updated_at":"2024-03-10T22:06:52Z","pushed_at":"2024-03-11T03:34:01Z","git_url":"git://github.com/groodt/flit.git","ssh_url":"git@github.com:groodt/flit.git","clone_url":"https://github.com/groodt/flit.git","svn_url":"https://github.com/groodt/flit","homepage":"https://flit.pypa.io/","size":1114,"stargazers_count":0,"watchers_count":0,"language":null,"has_issues":false,"has_projects":true,"has_downloads":true,"has_wiki":false,"has_pages":false,"has_discussions":false,"forks_count":0,"mirror_url":null,"archived":false,"disabled":false,"open_issues_count":0,"license":{"key":"bsd-3-clause","name":"BSD 3-Clause \"New\" or \"Revised\" License","spdx_id":"BSD-3-Clause","url":"https://api.github.com/licenses/bsd-3-clause","node_id":"MDc6TGljZW5zZTU="},"allow_forking":true,"is_template":false,"web_commit_signoff_required":false,"topics":[],"visibility":"public","forks":0,"open_issues":0,"watchers":0,"default_branch":"main"}},"base":{"label":"pypa:main","ref":"main","sha":"8ead22d4d3028f2dd2c952c85e5bf1535cca3b40","user":{"login":"pypa","id":647025,"node_id":"MDEyOk9yZ2FuaXphdGlvbjY0NzAyNQ==","avatar_url":"https://avatars.githubusercontent.com/u/647025?v=4","gravatar_id":"","url":"https://api.github.com/users/pypa","html_url":"https://github.com/pypa","followers_url":"https://api.github.com/users/pypa/followers","following_url":"https://api.github.com/users/pypa/following{/other_user}","gists_url":"https://api.github.com/users/pypa/gists{/gist_id}","starred_url":"https://api.github.com/users/pypa/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/pypa/subscriptions","organizations_url":"https://api.github.com/users/pypa/orgs","repos_url":"https://api.github.com/users/pypa/repos","events_url":"https://api.github.com/users/pypa/events{/privacy}","received_events_url":"https://api.github.com/users/pypa/received_events","type":"Organization","site_admin":false},"repo":{"id":32181539,"node_id":"MDEwOlJlcG9zaXRvcnkzMjE4MTUzOQ==","name":"flit","full_name":"pypa/flit","private":false,"owner":{"login":"pypa","id":647025,"node_id":"MDEyOk9yZ2FuaXphdGlvbjY0NzAyNQ==","avatar_url":"https://avatars.githubusercontent.com/u/647025?v=4","gravatar_id":"","url":"https://api.github.com/users/pypa","html_url":"https://github.com/pypa","followers_url":"https://api.github.com/users/pypa/followers","following_url":"https://api.github.com/users/pypa/following{/other_user}","gists_url":"https://api.github.com/users/pypa/gists{/gist_id}","starred_url":"https://api.github.com/users/pypa/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/pypa/subscriptions","organizations_url":"https://api.github.com/users/pypa/orgs","repos_url":"https://api.github.com/users/pypa/repos","events_url":"https://api.github.com/users/pypa/events{/privacy}","received_events_url":"https://api.github.com/users/pypa/received_events","type":"Organization","site_admin":false},"html_url":"https://github.com/pypa/flit","description":"Simplified packaging of Python modules","fork":false,"url":"https://api.github.com/repos/pypa/flit","forks_url":"https://api.github.com/repos/pypa/flit/forks","keys_url":"https://api.github.com/repos/pypa/flit/keys{/key_id}","collaborators_url":"https://api.github.com/repos/pypa/flit/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/pypa/flit/teams","hooks_url":"https://api.github.com/repos/pypa/flit/hooks","issue_events_url":"https://api.github.com/repos/pypa/flit/issues/events{/number}","events_url":"https://api.github.com/repos/pypa/flit/events","assignees_url":"https://api.github.com/repos/pypa/flit/assignees{/user}","branches_url":"https://api.github.com/repos/pypa/flit/branches{/branch}","tags_url":"https://api.github.com/repos/pypa/flit/tags","blobs_url":"https://api.github.com/repos/pypa/flit/git/blobs{/sha}","git_tags_url":"https://api.github.com/repos/pypa/flit/git/tags{/sha}","git_refs_url":"https://api.github.com/repos/pypa/flit/git/refs{/sha}","trees_url":"https://api.github.com/repos/pypa/flit/git/trees{/sha}","statuses_url":"https://api.github.com/repos/pypa/flit/statuses/{sha}","languages_url":"https://api.github.com/repos/pypa/flit/languages","stargazers_url":"https://api.github.com/repos/pypa/flit/stargazers","contributors_url":"https://api.github.com/repos/pypa/flit/contributors","subscribers_url":"https://api.github.com/repos/pypa/flit/subscribers","subscription_url":"https://api.github.com/repos/pypa/flit/subscription","commits_url":"https://api.github.com/repos/pypa/flit/commits{/sha}","git_commits_url":"https://api.github.com/repos/pypa/flit/git/commits{/sha}","comments_url":"https://api.github.com/repos/pypa/flit/comments{/number}","issue_comment_url":"https://api.github.com/repos/pypa/flit/issues/comments{/number}","contents_url":"https://api.github.com/repos/pypa/flit/contents/{+path}","compare_url":"https://api.github.com/repos/pypa/flit/compare/{base}...{head}","merges_url":"https://api.github.com/repos/pypa/flit/merges","archive_url":"https://api.github.com/repos/pypa/flit/{archive_format}{/ref}","downloads_url":"https://api.github.com/repos/pypa/flit/downloads","issues_url":"https://api.github.com/repos/pypa/flit/issues{/number}","pulls_url":"https://api.github.com/repos/pypa/flit/pulls{/number}","milestones_url":"https://api.github.com/repos/pypa/flit/milestones{/number}","notifications_url":"https://api.github.com/repos/pypa/flit/notifications{?since,all,participating}","labels_url":"https://api.github.com/repos/pypa/flit/labels{/name}","releases_url":"https://api.github.com/repos/pypa/flit/releases{/id}","deployments_url":"https://api.github.com/repos/pypa/flit/deployments","created_at":"2015-03-13T21:22:27Z","updated_at":"2024-03-07T14:47:22Z","pushed_at":"2024-03-11T03:34:43Z","git_url":"git://github.com/pypa/flit.git","ssh_url":"git@github.com:pypa/flit.git","clone_url":"https://github.com/pypa/flit.git","svn_url":"https://github.com/pypa/flit","homepage":"https://flit.pypa.io/","size":1114,"stargazers_count":2078,"watchers_count":2078,"language":"Python","has_issues":true,"has_projects":true,"has_downloads":true,"has_wiki":false,"has_pages":false,"has_discussions":true,"forks_count":128,"mirror_url":null,"archived":false,"disabled":false,"open_issues_count":126,"license":{"key":"bsd-3-clause","name":"BSD 3-Clause \"New\" or \"Revised\" License","spdx_id":"BSD-3-Clause","url":"https://api.github.com/licenses/bsd-3-clause","node_id":"MDc6TGljZW5zZTU="},"allow_forking":true,"is_template":false,"web_commit_signoff_required":false,"topics":[],"visibility":"public","forks":128,"open_issues":126,"watchers":2078,"default_branch":"main"}},"_links":{"self":{"href":"https://api.github.com/repos/pypa/flit/pulls/676"},"html":{"href":"https://github.com/pypa/flit/pull/676"},"issue":{"href":"https://api.github.com/repos/pypa/flit/issues/676"},"comments":{"href":"https://api.github.com/repos/pypa/flit/issues/676/comments"},"review_comments":{"href":"https://api.github.com/repos/pypa/flit/pulls/676/comments"},"review_comment":{"href":"https://api.github.com/repos/pypa/flit/pulls/comments{/number}"},"commits":{"href":"https://api.github.com/repos/pypa/flit/pulls/676/commits"},"statuses":{"href":"https://api.github.com/repos/pypa/flit/statuses/11e33dbad2fc20b93561e0e2270d7f066909f2fb"}},"author_association":"NONE","auto_merge":null,"active_lock_reason":null,"merged":false,"mergeable":null,"rebaseable":null,"mergeable_state":"unknown","merged_by":null,"comments":0,"review_comments":0,"maintainer_can_modify":true,"commits":1,"additions":1,"deletions":1,"changed_files":1}},"public":true,"created_at":"2024-03-11T03:34:44Z","org":{"id":647025,"login":"pypa","gravatar_id":"","url":"https://api.github.com/orgs/pypa","avatar_url":"https://avatars.githubusercontent.com/u/647025?"}},{"id":"36419208632","type":"CreateEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":770091332,"name":"groodt/flit","url":"https://api.github.com/repos/groodt/flit"},"payload":{"ref":"groodt-metadata-23","ref_type":"branch","master_branch":"main","description":"Simplified packaging of Python modules","pusher_type":"user"},"public":true,"created_at":"2024-03-11T03:34:02Z"},{"id":"36415175354","type":"ForkEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":32181539,"name":"pypa/flit","url":"https://api.github.com/repos/pypa/flit"},"payload":{"forkee":{"id":770091332,"node_id":"R_kgDOLeapRA","name":"flit","full_name":"groodt/flit","private":false,"owner":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"html_url":"https://github.com/groodt/flit","description":"Simplified packaging of Python modules","fork":true,"url":"https://api.github.com/repos/groodt/flit","forks_url":"https://api.github.com/repos/groodt/flit/forks","keys_url":"https://api.github.com/repos/groodt/flit/keys{/key_id}","collaborators_url":"https://api.github.com/repos/groodt/flit/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/groodt/flit/teams","hooks_url":"https://api.github.com/repos/groodt/flit/hooks","issue_events_url":"https://api.github.com/repos/groodt/flit/issues/events{/number}","events_url":"https://api.github.com/repos/groodt/flit/events","assignees_url":"https://api.github.com/repos/groodt/flit/assignees{/user}","branches_url":"https://api.github.com/repos/groodt/flit/branches{/branch}","tags_url":"https://api.github.com/repos/groodt/flit/tags","blobs_url":"https://api.github.com/repos/groodt/flit/git/blobs{/sha}","git_tags_url":"https://api.github.com/repos/groodt/flit/git/tags{/sha}","git_refs_url":"https://api.github.com/repos/groodt/flit/git/refs{/sha}","trees_url":"https://api.github.com/repos/groodt/flit/git/trees{/sha}","statuses_url":"https://api.github.com/repos/groodt/flit/statuses/{sha}","languages_url":"https://api.github.com/repos/groodt/flit/languages","stargazers_url":"https://api.github.com/repos/groodt/flit/stargazers","contributors_url":"https://api.github.com/repos/groodt/flit/contributors","subscribers_url":"https://api.github.com/repos/groodt/flit/subscribers","subscription_url":"https://api.github.com/repos/groodt/flit/subscription","commits_url":"https://api.github.com/repos/groodt/flit/commits{/sha}","git_commits_url":"https://api.github.com/repos/groodt/flit/git/commits{/sha}","comments_url":"https://api.github.com/repos/groodt/flit/comments{/number}","issue_comment_url":"https://api.github.com/repos/groodt/flit/issues/comments{/number}","contents_url":"https://api.github.com/repos/groodt/flit/contents/{+path}","compare_url":"https://api.github.com/repos/groodt/flit/compare/{base}...{head}","merges_url":"https://api.github.com/repos/groodt/flit/merges","archive_url":"https://api.github.com/repos/groodt/flit/{archive_format}{/ref}","downloads_url":"https://api.github.com/repos/groodt/flit/downloads","issues_url":"https://api.github.com/repos/groodt/flit/issues{/number}","pulls_url":"https://api.github.com/repos/groodt/flit/pulls{/number}","milestones_url":"https://api.github.com/repos/groodt/flit/milestones{/number}","notifications_url":"https://api.github.com/repos/groodt/flit/notifications{?since,all,participating}","labels_url":"https://api.github.com/repos/groodt/flit/labels{/name}","releases_url":"https://api.github.com/repos/groodt/flit/releases{/id}","deployments_url":"https://api.github.com/repos/groodt/flit/deployments","created_at":"2024-03-10T22:06:52Z","updated_at":"2024-03-10T22:06:52Z","pushed_at":"2024-01-28T10:24:07Z","git_url":"git://github.com/groodt/flit.git","ssh_url":"git@github.com:groodt/flit.git","clone_url":"https://github.com/groodt/flit.git","svn_url":"https://github.com/groodt/flit","homepage":"https://flit.pypa.io/","size":1114,"stargazers_count":0,"watchers_count":0,"language":null,"has_issues":false,"has_projects":true,"has_downloads":true,"has_wiki":false,"has_pages":false,"has_discussions":false,"forks_count":0,"mirror_url":null,"archived":false,"disabled":false,"open_issues_count":0,"license":null,"allow_forking":true,"is_template":false,"web_commit_signoff_required":false,"topics":[],"visibility":"public","forks":0,"open_issues":0,"watchers":0,"default_branch":"main","public":true}},"public":true,"created_at":"2024-03-10T22:06:53Z","org":{"id":647025,"login":"pypa","gravatar_id":"","url":"https://api.github.com/orgs/pypa","avatar_url":"https://avatars.githubusercontent.com/u/647025?"}},{"id":"36402249712","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":1446467,"name":"pypa/pip","url":"https://api.github.com/repos/pypa/pip"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/pypa/pip/issues/12208","repository_url":"https://api.github.com/repos/pypa/pip","labels_url":"https://api.github.com/repos/pypa/pip/issues/12208/labels{/name}","comments_url":"https://api.github.com/repos/pypa/pip/issues/12208/comments","events_url":"https://api.github.com/repos/pypa/pip/issues/12208/events","html_url":"https://github.com/pypa/pip/pull/12208","id":1838415891,"node_id":"PR_kwDOABYSQ85XR_Zs","number":12208,"title":"perform 1-3 HTTP requests for each wheel using fast-deps","user":{"login":"cosmicexplorer","id":1305167,"node_id":"MDQ6VXNlcjEzMDUxNjc=","avatar_url":"https://avatars.githubusercontent.com/u/1305167?v=4","gravatar_id":"","url":"https://api.github.com/users/cosmicexplorer","html_url":"https://github.com/cosmicexplorer","followers_url":"https://api.github.com/users/cosmicexplorer/followers","following_url":"https://api.github.com/users/cosmicexplorer/following{/other_user}","gists_url":"https://api.github.com/users/cosmicexplorer/gists{/gist_id}","starred_url":"https://api.github.com/users/cosmicexplorer/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/cosmicexplorer/subscriptions","organizations_url":"https://api.github.com/users/cosmicexplorer/orgs","repos_url":"https://api.github.com/users/cosmicexplorer/repos","events_url":"https://api.github.com/users/cosmicexplorer/events{/privacy}","received_events_url":"https://api.github.com/users/cosmicexplorer/received_events","type":"User","site_admin":false},"labels":[{"id":6347889867,"node_id":"LA_kwDOABYSQ88AAAABel0cyw","url":"https://api.github.com/repos/pypa/pip/labels/bot:chronographer:provided","name":"bot:chronographer:provided","color":"ededed","default":false,"description":null}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":21,"created_at":"2023-08-06T21:00:56Z","updated_at":"2024-03-09T22:47:29Z","closed_at":null,"author_association":"CONTRIBUTOR","active_lock_reason":null,"draft":false,"pull_request":{"url":"https://api.github.com/repos/pypa/pip/pulls/12208","html_url":"https://github.com/pypa/pip/pull/12208","diff_url":"https://github.com/pypa/pip/pull/12208.diff","patch_url":"https://github.com/pypa/pip/pull/12208.patch","merged_at":null},"body":"### Continued motivation for `fast-deps`\r\nWhile PEP 658 is the standards-compliant solution and metadata from there is already preferred when available, `--use-feature=fast-deps` avoids downloading wheels against `--find-links` repos and any pypi index not supporting PEP 658 yet. Most non-pypi indices will be either of these, because it's very easy to expose those to pip with a simple file server, so improving `fast-deps` (and turning it on by default) is necessary to extend the benefits from the recent metadata resolve work to most users hosting their own index, especially corporations running pip in their internal CI.\r\n\r\n### Problem\r\n- Fixes #8670.\r\n`--use-feature=fast-deps` currently takes a while to perform multiple small range requests against pypi wheels which do not have PEP 658 metadata available, such as `tensorflow-gpu==2.5.3`. This is likely because of delays built into the pypi file host when responding to GET requests for very large files, to reduce the risk of a denial of service. This is pretty reasonable behavior on pypi's part, so we would like to minimize the number of range requests made, as described by @McSinyx in followup work at #8670.\r\n\r\n### Solution\r\n- Closes #11447.\r\n- Closes #11481.\r\n@dholth realized two optimizations we could perform:\r\n1. The HTTP `Range` header accepts a negative value `bytes=-N`, which acts like negative slice indices in Python, returning a chunk from the end of the file. This avoids a `HEAD` request to get the file length.\r\n2. The `*.dist-info/` directory is all that's going to be extracted from our lazy wheels, and this directory's contents form a contiguous substring of the total file content. After extracting the central directory from the end of the file with our first request, we can perform a single range request to populate the contents of every file in the `*.dist-info/` directory in the lazy wheel, so no further HTTP requests need to be made to continue the resolution.\r\n\r\n#### Additional Fixes\r\nTwo additional issues have popped up since #11447:\r\n1. pypi no longer supports negative byte ranges, returning an error from the varnish cache (see https://github.com/pypa/pip/pull/11481#issuecomment-1666945391). This is expected behavior from pypi: see pypi/warehouse#12823.\r\n2. Some wheels such as `tensorflow-gpu==2.5.3` have begun to put their own `*.dist-info/` directories at the beginning of the zip file, possibly as a result of generating them from other build tools which sort zip file entries lexicographically.\r\n\r\nBoth of these are considered to be reasonable behavior, and this change handles both cases gracefully.\r\n\r\n### Result\r\nThis halves the time to resolve dependencies from the below requirements for `pip install --dry-run --report` when the fixes of #12186 are merged:\r\n```bash\r\n> git checkout main\r\n> rm -rf ~/.cache/pip\r\n> time python3.8 -m pip install --report test.json --dry-run --ignore-installed 'numpy>=1.19.5' 'keras==2.4.3' 'mtcnn' 'pillow>=7.0.0' 'bleach>=2.1.0' 'tensorflow-gpu==2.5.3'\r\n...\r\nreal 0m33.531s\r\nuser 0m13.335s\r\nsys 0m3.219s\r\n> git checkout -\r\n> rm -rf ~/.cache/pip\r\n> time python3.8 -m pip install --report test.json --dry-run --ignore-installed --use-feature=fast-deps 'numpy>=1.19.5' 'keras==2.4.3' 'mtcnn' 'pillow>=7.0.0' 'bleach>=2.1.0' 'tensorflow-gpu==2.5.3'\r\n...\r\nreal 0m18.417s\r\nuser 0m8.847s\r\nsys 0m0.710s\r\n```\r\n\r\nAs with PEP 658 metadata, in pathological cases which involve lots of backtracking, this will avoid downloading more than a single version of each wheel even for `pip download` or `pip install` without `--dry-run`. **If `--use-feature=fast-deps` is enabled by default, this will also significantly improve performance of all resolves involving `tensorflow-gpu==2.5.3` and other wheels which do not have PEP 658 metadata available on pypi, or against indices which do not serve PEP 658 metadata.** I therefore propose turning on `fast-deps` by default, either in this PR or in #12186 which will be merged after this one.","reactions":{"url":"https://api.github.com/repos/pypa/pip/issues/12208/reactions","total_count":5,"+1":2,"-1":0,"laugh":0,"hooray":2,"confused":0,"heart":1,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/pypa/pip/issues/12208/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/pypa/pip/issues/comments/1987000476","html_url":"https://github.com/pypa/pip/pull/12208#issuecomment-1987000476","issue_url":"https://api.github.com/repos/pypa/pip/issues/12208","id":1987000476,"node_id":"IC_kwDOABYSQ852bzic","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-03-09T22:47:29Z","updated_at":"2024-03-09T22:47:29Z","author_association":"CONTRIBUTOR","body":"@cosmicexplorer Do you know if the CI failures are expected?","reactions":{"url":"https://api.github.com/repos/pypa/pip/issues/comments/1987000476/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-03-09T22:47:31Z","org":{"id":647025,"login":"pypa","gravatar_id":"","url":"https://api.github.com/orgs/pypa","avatar_url":"https://avatars.githubusercontent.com/u/647025?"}},{"id":"36238566850","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":9120498,"name":"pypi/warehouse","url":"https://api.github.com/repos/pypi/warehouse"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/pypi/warehouse/issues/8254","repository_url":"https://api.github.com/repos/pypi/warehouse","labels_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/labels{/name}","comments_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/comments","events_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/events","html_url":"https://github.com/pypi/warehouse/issues/8254","id":656034754,"node_id":"MDU6SXNzdWU2NTYwMzQ3NTQ=","number":8254,"title":"Expose the METADATA file of wheels in the simple API","user":{"login":"dstufft","id":145979,"node_id":"MDQ6VXNlcjE0NTk3OQ==","avatar_url":"https://avatars.githubusercontent.com/u/145979?v=4","gravatar_id":"","url":"https://api.github.com/users/dstufft","html_url":"https://github.com/dstufft","followers_url":"https://api.github.com/users/dstufft/followers","following_url":"https://api.github.com/users/dstufft/following{/other_user}","gists_url":"https://api.github.com/users/dstufft/gists{/gist_id}","starred_url":"https://api.github.com/users/dstufft/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/dstufft/subscriptions","organizations_url":"https://api.github.com/users/dstufft/orgs","repos_url":"https://api.github.com/users/dstufft/repos","events_url":"https://api.github.com/users/dstufft/events{/privacy}","received_events_url":"https://api.github.com/users/dstufft/received_events","type":"User","site_admin":false},"labels":[{"id":835444594,"node_id":"MDU6TGFiZWw4MzU0NDQ1OTQ=","url":"https://api.github.com/repos/pypi/warehouse/labels/APIs/feeds","name":"APIs/feeds","color":"bfd4f2","default":false,"description":null}],"state":"closed","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":121,"created_at":"2020-07-13T17:56:47Z","updated_at":"2024-03-04T21:44:28Z","closed_at":"2024-03-03T17:14:56Z","author_association":"MEMBER","active_lock_reason":null,"body":"Currently a number of projects are trying to work around the fact that in order to resolve dependencies in Python you have to download the entire wheel in order to read the metadata. I am aware of two current strategies for working around this, one is the attempt to use the PyPI JSON API (which isn't a good solution because it's non standard, the data model is wrong, and it's not going to be secured by TUF) and the other is attempting to use range requests to fetch only the ``METADATA`` file from the wheel before downloading the entire wheel (which isn't a good solution because TUF can currently only verify entire files, and it depends on the server supporting range requests, which not every mirror is going to support).\r\n\r\nIt seems to me like we could side step this issue by simply having PyPI extract the ``METADATA`` file of a wheel as part of the upload process, and storing that alongside the wheel itself. Within TUF we can ensure that these files have not been tampered with, by simply storing it as another TUF secured target. Resolvers could then download just the metadata file for a wheel they're considering as a candidate, instead of having to download the entire wheel.\r\n\r\nThis is a pretty small delta over what already exists, so it's more likely we're going to get it done than any of the broader proposals of trying to design an entire, brand new repository API or by ALSO retrofitting the JSON API inside of TUF.\r\n\r\nThe main problems with it is that the ``METADATA`` file might also be larger than needed since it contains the entire long description of the wheel and that it still leaves sdists unsolved (but they're not currently really solvable). I don't think either problem is too drastic though.\r\n\r\nWhat do folks thinks? This would probably require a PEP and I probably don't have the spare cycles to do that right now, but I wanted to get the idea written down incase someone else felt like picking it up.\r\n\r\n@pypa/pip-committers @pypa/pipenv-committers @sdispater (not sure who else work on poetry, feel free to CC more folks in).","reactions":{"url":"https://api.github.com/repos/pypi/warehouse/issues/8254/reactions","total_count":45,"+1":37,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":7,"eyes":1},"timeline_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/timeline","performed_via_github_app":null,"state_reason":"completed"},"comment":{"url":"https://api.github.com/repos/pypi/warehouse/issues/comments/1977514110","html_url":"https://github.com/pypi/warehouse/issues/8254#issuecomment-1977514110","issue_url":"https://api.github.com/repos/pypi/warehouse/issues/8254","id":1977514110,"node_id":"IC_kwDOAIsq8s513nh-","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-03-04T21:44:27Z","updated_at":"2024-03-04T21:44:27Z","author_association":"NONE","body":"> Here's bandwidth since the start of the year, looks like it was actually up last week, to the highest point ever:\r\n\r\nThat's so surprising! And that's at the CDN side right? Maybe all the clients cache effectively already, but the new metadata helps them resolve quicker and have smaller caches if they start from cold...\r\n\r\nIt definitely feels noticeably quicker... I wonder where/how the best way to measure it might be. ","reactions":{"url":"https://api.github.com/repos/pypi/warehouse/issues/comments/1977514110/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-03-04T21:44:28Z","org":{"id":2964877,"login":"pypi","gravatar_id":"","url":"https://api.github.com/orgs/pypi","avatar_url":"https://avatars.githubusercontent.com/u/2964877?"}},{"id":"36237860160","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":9120498,"name":"pypi/warehouse","url":"https://api.github.com/repos/pypi/warehouse"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/pypi/warehouse/issues/8254","repository_url":"https://api.github.com/repos/pypi/warehouse","labels_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/labels{/name}","comments_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/comments","events_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/events","html_url":"https://github.com/pypi/warehouse/issues/8254","id":656034754,"node_id":"MDU6SXNzdWU2NTYwMzQ3NTQ=","number":8254,"title":"Expose the METADATA file of wheels in the simple API","user":{"login":"dstufft","id":145979,"node_id":"MDQ6VXNlcjE0NTk3OQ==","avatar_url":"https://avatars.githubusercontent.com/u/145979?v=4","gravatar_id":"","url":"https://api.github.com/users/dstufft","html_url":"https://github.com/dstufft","followers_url":"https://api.github.com/users/dstufft/followers","following_url":"https://api.github.com/users/dstufft/following{/other_user}","gists_url":"https://api.github.com/users/dstufft/gists{/gist_id}","starred_url":"https://api.github.com/users/dstufft/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/dstufft/subscriptions","organizations_url":"https://api.github.com/users/dstufft/orgs","repos_url":"https://api.github.com/users/dstufft/repos","events_url":"https://api.github.com/users/dstufft/events{/privacy}","received_events_url":"https://api.github.com/users/dstufft/received_events","type":"User","site_admin":false},"labels":[{"id":835444594,"node_id":"MDU6TGFiZWw4MzU0NDQ1OTQ=","url":"https://api.github.com/repos/pypi/warehouse/labels/APIs/feeds","name":"APIs/feeds","color":"bfd4f2","default":false,"description":null}],"state":"closed","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":118,"created_at":"2020-07-13T17:56:47Z","updated_at":"2024-03-04T21:17:50Z","closed_at":"2024-03-03T17:14:56Z","author_association":"MEMBER","active_lock_reason":null,"body":"Currently a number of projects are trying to work around the fact that in order to resolve dependencies in Python you have to download the entire wheel in order to read the metadata. I am aware of two current strategies for working around this, one is the attempt to use the PyPI JSON API (which isn't a good solution because it's non standard, the data model is wrong, and it's not going to be secured by TUF) and the other is attempting to use range requests to fetch only the ``METADATA`` file from the wheel before downloading the entire wheel (which isn't a good solution because TUF can currently only verify entire files, and it depends on the server supporting range requests, which not every mirror is going to support).\r\n\r\nIt seems to me like we could side step this issue by simply having PyPI extract the ``METADATA`` file of a wheel as part of the upload process, and storing that alongside the wheel itself. Within TUF we can ensure that these files have not been tampered with, by simply storing it as another TUF secured target. Resolvers could then download just the metadata file for a wheel they're considering as a candidate, instead of having to download the entire wheel.\r\n\r\nThis is a pretty small delta over what already exists, so it's more likely we're going to get it done than any of the broader proposals of trying to design an entire, brand new repository API or by ALSO retrofitting the JSON API inside of TUF.\r\n\r\nThe main problems with it is that the ``METADATA`` file might also be larger than needed since it contains the entire long description of the wheel and that it still leaves sdists unsolved (but they're not currently really solvable). I don't think either problem is too drastic though.\r\n\r\nWhat do folks thinks? This would probably require a PEP and I probably don't have the spare cycles to do that right now, but I wanted to get the idea written down incase someone else felt like picking it up.\r\n\r\n@pypa/pip-committers @pypa/pipenv-committers @sdispater (not sure who else work on poetry, feel free to CC more folks in).","reactions":{"url":"https://api.github.com/repos/pypi/warehouse/issues/8254/reactions","total_count":45,"+1":37,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":7,"eyes":1},"timeline_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/timeline","performed_via_github_app":null,"state_reason":"completed"},"comment":{"url":"https://api.github.com/repos/pypi/warehouse/issues/comments/1977472549","html_url":"https://github.com/pypi/warehouse/issues/8254#issuecomment-1977472549","issue_url":"https://api.github.com/repos/pypi/warehouse/issues/8254","id":1977472549,"node_id":"IC_kwDOAIsq8s513dYl","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-03-04T21:17:49Z","updated_at":"2024-03-04T21:17:49Z","author_association":"NONE","body":"I hope there's a blog post or something about all of this. I'd be super curious to hear from @ewdurbin or anyone else who may know of there has been anythjng noticeable from a bandwidth or hosting perspective now that fewer chonky wheels are downloaded.","reactions":{"url":"https://api.github.com/repos/pypi/warehouse/issues/comments/1977472549/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-03-04T21:17:51Z","org":{"id":2964877,"login":"pypi","gravatar_id":"","url":"https://api.github.com/orgs/pypi","avatar_url":"https://avatars.githubusercontent.com/u/2964877?"}},{"id":"36218046735","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":9120498,"name":"pypi/warehouse","url":"https://api.github.com/repos/pypi/warehouse"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/pypi/warehouse/issues/8254","repository_url":"https://api.github.com/repos/pypi/warehouse","labels_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/labels{/name}","comments_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/comments","events_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/events","html_url":"https://github.com/pypi/warehouse/issues/8254","id":656034754,"node_id":"MDU6SXNzdWU2NTYwMzQ3NTQ=","number":8254,"title":"Expose the METADATA file of wheels in the simple API","user":{"login":"dstufft","id":145979,"node_id":"MDQ6VXNlcjE0NTk3OQ==","avatar_url":"https://avatars.githubusercontent.com/u/145979?v=4","gravatar_id":"","url":"https://api.github.com/users/dstufft","html_url":"https://github.com/dstufft","followers_url":"https://api.github.com/users/dstufft/followers","following_url":"https://api.github.com/users/dstufft/following{/other_user}","gists_url":"https://api.github.com/users/dstufft/gists{/gist_id}","starred_url":"https://api.github.com/users/dstufft/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/dstufft/subscriptions","organizations_url":"https://api.github.com/users/dstufft/orgs","repos_url":"https://api.github.com/users/dstufft/repos","events_url":"https://api.github.com/users/dstufft/events{/privacy}","received_events_url":"https://api.github.com/users/dstufft/received_events","type":"User","site_admin":false},"labels":[{"id":835444594,"node_id":"MDU6TGFiZWw4MzU0NDQ1OTQ=","url":"https://api.github.com/repos/pypi/warehouse/labels/APIs/feeds","name":"APIs/feeds","color":"bfd4f2","default":false,"description":null}],"state":"closed","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":112,"created_at":"2020-07-13T17:56:47Z","updated_at":"2024-03-04T11:04:55Z","closed_at":"2024-03-03T17:14:56Z","author_association":"MEMBER","active_lock_reason":null,"body":"Currently a number of projects are trying to work around the fact that in order to resolve dependencies in Python you have to download the entire wheel in order to read the metadata. I am aware of two current strategies for working around this, one is the attempt to use the PyPI JSON API (which isn't a good solution because it's non standard, the data model is wrong, and it's not going to be secured by TUF) and the other is attempting to use range requests to fetch only the ``METADATA`` file from the wheel before downloading the entire wheel (which isn't a good solution because TUF can currently only verify entire files, and it depends on the server supporting range requests, which not every mirror is going to support).\r\n\r\nIt seems to me like we could side step this issue by simply having PyPI extract the ``METADATA`` file of a wheel as part of the upload process, and storing that alongside the wheel itself. Within TUF we can ensure that these files have not been tampered with, by simply storing it as another TUF secured target. Resolvers could then download just the metadata file for a wheel they're considering as a candidate, instead of having to download the entire wheel.\r\n\r\nThis is a pretty small delta over what already exists, so it's more likely we're going to get it done than any of the broader proposals of trying to design an entire, brand new repository API or by ALSO retrofitting the JSON API inside of TUF.\r\n\r\nThe main problems with it is that the ``METADATA`` file might also be larger than needed since it contains the entire long description of the wheel and that it still leaves sdists unsolved (but they're not currently really solvable). I don't think either problem is too drastic though.\r\n\r\nWhat do folks thinks? This would probably require a PEP and I probably don't have the spare cycles to do that right now, but I wanted to get the idea written down incase someone else felt like picking it up.\r\n\r\n@pypa/pip-committers @pypa/pipenv-committers @sdispater (not sure who else work on poetry, feel free to CC more folks in).","reactions":{"url":"https://api.github.com/repos/pypi/warehouse/issues/8254/reactions","total_count":45,"+1":37,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":7,"eyes":1},"timeline_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/timeline","performed_via_github_app":null,"state_reason":"completed"},"comment":{"url":"https://api.github.com/repos/pypi/warehouse/issues/comments/1976327717","html_url":"https://github.com/pypi/warehouse/issues/8254#issuecomment-1976327717","issue_url":"https://api.github.com/repos/pypi/warehouse/issues/8254","id":1976327717,"node_id":"IC_kwDOAIsq8s51zF4l","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-03-04T11:04:54Z","updated_at":"2024-03-04T11:04:54Z","author_association":"NONE","body":"I realised the urls in the gist are missing a `/`. I'm not sure if thats from the creation of the gist or from some other mechanism. When I fixed the urls, I was able to download the binaries.\r\n\r\nI've updated and pushed the fixed paths here: https://gist.github.com/groodt/345aacb3795db63fe94735839824de87 (I'm not sure how / if to fork or merge against gists, or I would have simply pushed them to @di repo)\r\n\r\nI also noticed that many of the artifacts have the wrong extension (.egg, .zip and .tar.gz) but the ones that I looked at were displaying in the UI.\r\n\r\n\r\n","reactions":{"url":"https://api.github.com/repos/pypi/warehouse/issues/comments/1976327717/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-03-04T11:04:55Z","org":{"id":2964877,"login":"pypi","gravatar_id":"","url":"https://api.github.com/orgs/pypi","avatar_url":"https://avatars.githubusercontent.com/u/2964877?"}},{"id":"36192459137","type":"WatchEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":587050620,"name":"stanfordnlp/dspy","url":"https://api.github.com/repos/stanfordnlp/dspy"},"payload":{"action":"started"},"public":true,"created_at":"2024-03-03T03:03:34Z","org":{"id":3046006,"login":"stanfordnlp","gravatar_id":"","url":"https://api.github.com/orgs/stanfordnlp","avatar_url":"https://avatars.githubusercontent.com/u/3046006?"}},{"id":"36191073637","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":9120498,"name":"pypi/warehouse","url":"https://api.github.com/repos/pypi/warehouse"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/pypi/warehouse/issues/8254","repository_url":"https://api.github.com/repos/pypi/warehouse","labels_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/labels{/name}","comments_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/comments","events_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/events","html_url":"https://github.com/pypi/warehouse/issues/8254","id":656034754,"node_id":"MDU6SXNzdWU2NTYwMzQ3NTQ=","number":8254,"title":"Expose the METADATA file of wheels in the simple API","user":{"login":"dstufft","id":145979,"node_id":"MDQ6VXNlcjE0NTk3OQ==","avatar_url":"https://avatars.githubusercontent.com/u/145979?v=4","gravatar_id":"","url":"https://api.github.com/users/dstufft","html_url":"https://github.com/dstufft","followers_url":"https://api.github.com/users/dstufft/followers","following_url":"https://api.github.com/users/dstufft/following{/other_user}","gists_url":"https://api.github.com/users/dstufft/gists{/gist_id}","starred_url":"https://api.github.com/users/dstufft/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/dstufft/subscriptions","organizations_url":"https://api.github.com/users/dstufft/orgs","repos_url":"https://api.github.com/users/dstufft/repos","events_url":"https://api.github.com/users/dstufft/events{/privacy}","received_events_url":"https://api.github.com/users/dstufft/received_events","type":"User","site_admin":false},"labels":[{"id":835444594,"node_id":"MDU6TGFiZWw4MzU0NDQ1OTQ=","url":"https://api.github.com/repos/pypi/warehouse/labels/APIs/feeds","name":"APIs/feeds","color":"bfd4f2","default":false,"description":null}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":108,"created_at":"2020-07-13T17:56:47Z","updated_at":"2024-03-03T00:04:20Z","closed_at":null,"author_association":"MEMBER","active_lock_reason":null,"body":"Currently a number of projects are trying to work around the fact that in order to resolve dependencies in Python you have to download the entire wheel in order to read the metadata. I am aware of two current strategies for working around this, one is the attempt to use the PyPI JSON API (which isn't a good solution because it's non standard, the data model is wrong, and it's not going to be secured by TUF) and the other is attempting to use range requests to fetch only the ``METADATA`` file from the wheel before downloading the entire wheel (which isn't a good solution because TUF can currently only verify entire files, and it depends on the server supporting range requests, which not every mirror is going to support).\r\n\r\nIt seems to me like we could side step this issue by simply having PyPI extract the ``METADATA`` file of a wheel as part of the upload process, and storing that alongside the wheel itself. Within TUF we can ensure that these files have not been tampered with, by simply storing it as another TUF secured target. Resolvers could then download just the metadata file for a wheel they're considering as a candidate, instead of having to download the entire wheel.\r\n\r\nThis is a pretty small delta over what already exists, so it's more likely we're going to get it done than any of the broader proposals of trying to design an entire, brand new repository API or by ALSO retrofitting the JSON API inside of TUF.\r\n\r\nThe main problems with it is that the ``METADATA`` file might also be larger than needed since it contains the entire long description of the wheel and that it still leaves sdists unsolved (but they're not currently really solvable). I don't think either problem is too drastic though.\r\n\r\nWhat do folks thinks? This would probably require a PEP and I probably don't have the spare cycles to do that right now, but I wanted to get the idea written down incase someone else felt like picking it up.\r\n\r\n@pypa/pip-committers @pypa/pipenv-committers @sdispater (not sure who else work on poetry, feel free to CC more folks in).","reactions":{"url":"https://api.github.com/repos/pypi/warehouse/issues/8254/reactions","total_count":45,"+1":37,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":7,"eyes":1},"timeline_url":"https://api.github.com/repos/pypi/warehouse/issues/8254/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/pypi/warehouse/issues/comments/1974947655","html_url":"https://github.com/pypi/warehouse/issues/8254#issuecomment-1974947655","issue_url":"https://api.github.com/repos/pypi/warehouse/issues/8254","id":1974947655,"node_id":"IC_kwDOAIsq8s51t09H","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-03-03T00:04:18Z","updated_at":"2024-03-03T00:04:18Z","author_association":"NONE","body":"I think I know the answer, but does PyPI block uploads of future wheels with invalid metadata?\r\n\r\nOnce the backfill is completed, we can review the \"corrupt\" distributions and also look at their download stats to determine if any further action will be disruptive. It might be that the distributions already have no downloads, so can either be yanked or ignored. ","reactions":{"url":"https://api.github.com/repos/pypi/warehouse/issues/comments/1974947655/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-03-03T00:04:20Z","org":{"id":2964877,"login":"pypi","gravatar_id":"","url":"https://api.github.com/orgs/pypi","avatar_url":"https://avatars.githubusercontent.com/u/2964877?"}},{"id":"36074247935","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":54980593,"name":"pypa/setuptools","url":"https://api.github.com/repos/pypa/setuptools"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/pypa/setuptools/issues/4240","repository_url":"https://api.github.com/repos/pypa/setuptools","labels_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/labels{/name}","comments_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/comments","events_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/events","html_url":"https://github.com/pypa/setuptools/issues/4240","id":2157447902,"node_id":"I_kwDOA0bv8c6AmAre","number":4240,"title":"[FR] Metadata 2.2+ Support","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"labels":[{"id":349315098,"node_id":"MDU6TGFiZWwzNDkzMTUwOTg=","url":"https://api.github.com/repos/pypa/setuptools/labels/enhancement","name":"enhancement","color":"84b6eb","default":true,"description":null},{"id":1097196749,"node_id":"MDU6TGFiZWwxMDk3MTk2NzQ5","url":"https://api.github.com/repos/pypa/setuptools/labels/Needs%20Triage","name":"Needs Triage","color":"dd3333","default":false,"description":"Issues that need to be evaluated for severity and status."}],"state":"closed","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":1,"created_at":"2024-02-27T19:27:12Z","updated_at":"2024-02-28T05:02:00Z","closed_at":"2024-02-28T05:01:59Z","author_association":"NONE","active_lock_reason":null,"body":"### What's the problem this feature will solve?\n\nPyPI now supports Metadata 2.2+ and it would be ideal if setuptools started to build for newer standards by default\n\n### Describe the solution you'd like\n\nWhen no fields are Dynamic, Metadata 2.3 should be used. Otherwise Metadata 2.2 should be used.\n\n### Alternative Solutions\n\n_No response_\n\n### Additional context\n\n_No response_\n\n### Code of Conduct\n\n- [X] I agree to follow the PSF Code of Conduct","reactions":{"url":"https://api.github.com/repos/pypa/setuptools/issues/4240/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/timeline","performed_via_github_app":null,"state_reason":"completed"},"comment":{"url":"https://api.github.com/repos/pypa/setuptools/issues/comments/1968234256","html_url":"https://github.com/pypa/setuptools/issues/4240#issuecomment-1968234256","issue_url":"https://api.github.com/repos/pypa/setuptools/issues/4240","id":1968234256,"node_id":"IC_kwDOA0bv8c51UN8Q","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-02-28T05:01:59Z","updated_at":"2024-02-28T05:01:59Z","author_association":"NONE","body":"Closing. I’ve realised this is a duplicate of https://github.com/pypa/setuptools/issues/2685","reactions":{"url":"https://api.github.com/repos/pypa/setuptools/issues/comments/1968234256/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-02-28T05:02:01Z","org":{"id":647025,"login":"pypa","gravatar_id":"","url":"https://api.github.com/orgs/pypa","avatar_url":"https://avatars.githubusercontent.com/u/647025?"}},{"id":"36074247784","type":"IssuesEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":54980593,"name":"pypa/setuptools","url":"https://api.github.com/repos/pypa/setuptools"},"payload":{"action":"closed","issue":{"url":"https://api.github.com/repos/pypa/setuptools/issues/4240","repository_url":"https://api.github.com/repos/pypa/setuptools","labels_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/labels{/name}","comments_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/comments","events_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/events","html_url":"https://github.com/pypa/setuptools/issues/4240","id":2157447902,"node_id":"I_kwDOA0bv8c6AmAre","number":4240,"title":"[FR] Metadata 2.2+ Support","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"labels":[{"id":349315098,"node_id":"MDU6TGFiZWwzNDkzMTUwOTg=","url":"https://api.github.com/repos/pypa/setuptools/labels/enhancement","name":"enhancement","color":"84b6eb","default":true,"description":null},{"id":1097196749,"node_id":"MDU6TGFiZWwxMDk3MTk2NzQ5","url":"https://api.github.com/repos/pypa/setuptools/labels/Needs%20Triage","name":"Needs Triage","color":"dd3333","default":false,"description":"Issues that need to be evaluated for severity and status."}],"state":"closed","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":1,"created_at":"2024-02-27T19:27:12Z","updated_at":"2024-02-28T05:02:00Z","closed_at":"2024-02-28T05:01:59Z","author_association":"NONE","active_lock_reason":null,"body":"### What's the problem this feature will solve?\n\nPyPI now supports Metadata 2.2+ and it would be ideal if setuptools started to build for newer standards by default\n\n### Describe the solution you'd like\n\nWhen no fields are Dynamic, Metadata 2.3 should be used. Otherwise Metadata 2.2 should be used.\n\n### Alternative Solutions\n\n_No response_\n\n### Additional context\n\n_No response_\n\n### Code of Conduct\n\n- [X] I agree to follow the PSF Code of Conduct","reactions":{"url":"https://api.github.com/repos/pypa/setuptools/issues/4240/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/timeline","performed_via_github_app":null,"state_reason":"completed"}},"public":true,"created_at":"2024-02-28T05:02:00Z","org":{"id":647025,"login":"pypa","gravatar_id":"","url":"https://api.github.com/orgs/pypa","avatar_url":"https://avatars.githubusercontent.com/u/647025?"}},{"id":"36063307155","type":"IssuesEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":32181539,"name":"pypa/flit","url":"https://api.github.com/repos/pypa/flit"},"payload":{"action":"opened","issue":{"url":"https://api.github.com/repos/pypa/flit/issues/675","repository_url":"https://api.github.com/repos/pypa/flit","labels_url":"https://api.github.com/repos/pypa/flit/issues/675/labels{/name}","comments_url":"https://api.github.com/repos/pypa/flit/issues/675/comments","events_url":"https://api.github.com/repos/pypa/flit/issues/675/events","html_url":"https://github.com/pypa/flit/issues/675","id":2157474700,"node_id":"I_kwDOAesNI86AmHOM","number":675,"title":"Metadata 2.2+","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"labels":[],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":0,"created_at":"2024-02-27T19:44:08Z","updated_at":"2024-02-27T19:44:08Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"body":"PyPI now supports Metadata 2.2+ and it would be ideal if flit started to build for newer standards by default","reactions":{"url":"https://api.github.com/repos/pypa/flit/issues/675/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/pypa/flit/issues/675/timeline","performed_via_github_app":null,"state_reason":null}},"public":true,"created_at":"2024-02-27T19:44:09Z","org":{"id":647025,"login":"pypa","gravatar_id":"","url":"https://api.github.com/orgs/pypa","avatar_url":"https://avatars.githubusercontent.com/u/647025?"}},{"id":"36062850341","type":"IssuesEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":54980593,"name":"pypa/setuptools","url":"https://api.github.com/repos/pypa/setuptools"},"payload":{"action":"opened","issue":{"url":"https://api.github.com/repos/pypa/setuptools/issues/4240","repository_url":"https://api.github.com/repos/pypa/setuptools","labels_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/labels{/name}","comments_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/comments","events_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/events","html_url":"https://github.com/pypa/setuptools/issues/4240","id":2157447902,"node_id":"I_kwDOA0bv8c6AmAre","number":4240,"title":"[FR] Metadata 2.2+ Support","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"labels":[{"id":349315098,"node_id":"MDU6TGFiZWwzNDkzMTUwOTg=","url":"https://api.github.com/repos/pypa/setuptools/labels/enhancement","name":"enhancement","color":"84b6eb","default":true,"description":null},{"id":1097196749,"node_id":"MDU6TGFiZWwxMDk3MTk2NzQ5","url":"https://api.github.com/repos/pypa/setuptools/labels/Needs%20Triage","name":"Needs Triage","color":"dd3333","default":false,"description":"Issues that need to be evaluated for severity and status."}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":0,"created_at":"2024-02-27T19:27:12Z","updated_at":"2024-02-27T19:27:12Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"body":"### What's the problem this feature will solve?\n\nPyPI now supports Metadata 2.2+ and it would be ideal if setuptools started to build for newer standards by default\n\n### Describe the solution you'd like\n\nWhen no fields are Dynamic, Metadata 2.3 should be used. Otherwise Metadata 2.2 should be used.\n\n### Alternative Solutions\n\n_No response_\n\n### Additional context\n\n_No response_\n\n### Code of Conduct\n\n- [X] I agree to follow the PSF Code of Conduct","reactions":{"url":"https://api.github.com/repos/pypa/setuptools/issues/4240/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/pypa/setuptools/issues/4240/timeline","performed_via_github_app":null,"state_reason":null}},"public":true,"created_at":"2024-02-27T19:27:14Z","org":{"id":647025,"login":"pypa","gravatar_id":"","url":"https://api.github.com/orgs/pypa","avatar_url":"https://avatars.githubusercontent.com/u/647025?"}},{"id":"35814921456","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":1446467,"name":"pypa/pip","url":"https://api.github.com/repos/pypa/pip"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/pypa/pip/issues/11810","repository_url":"https://api.github.com/repos/pypa/pip","labels_url":"https://api.github.com/repos/pypa/pip/issues/11810/labels{/name}","comments_url":"https://api.github.com/repos/pypa/pip/issues/11810/comments","events_url":"https://api.github.com/repos/pypa/pip/issues/11810/events","html_url":"https://github.com/pypa/pip/pull/11810","id":1592573501,"node_id":"PR_kwDOABYSQ85KYewG","number":11810,"title":"Describe how to avoid dependency confusion in \"secure installs\" topic","user":{"login":"fabiobarkoski","id":65479069,"node_id":"MDQ6VXNlcjY1NDc5MDY5","avatar_url":"https://avatars.githubusercontent.com/u/65479069?v=4","gravatar_id":"","url":"https://api.github.com/users/fabiobarkoski","html_url":"https://github.com/fabiobarkoski","followers_url":"https://api.github.com/users/fabiobarkoski/followers","following_url":"https://api.github.com/users/fabiobarkoski/following{/other_user}","gists_url":"https://api.github.com/users/fabiobarkoski/gists{/gist_id}","starred_url":"https://api.github.com/users/fabiobarkoski/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/fabiobarkoski/subscriptions","organizations_url":"https://api.github.com/users/fabiobarkoski/orgs","repos_url":"https://api.github.com/users/fabiobarkoski/repos","events_url":"https://api.github.com/users/fabiobarkoski/events{/privacy}","received_events_url":"https://api.github.com/users/fabiobarkoski/received_events","type":"User","site_admin":false},"labels":[{"id":6347889867,"node_id":"LA_kwDOABYSQ88AAAABel0cyw","url":"https://api.github.com/repos/pypa/pip/labels/bot:chronographer:provided","name":"bot:chronographer:provided","color":"ededed","default":false,"description":null}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":8,"created_at":"2023-02-20T23:55:22Z","updated_at":"2024-02-20T00:29:19Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"draft":false,"pull_request":{"url":"https://api.github.com/repos/pypa/pip/pulls/11810","html_url":"https://github.com/pypa/pip/pull/11810","diff_url":"https://github.com/pypa/pip/pull/11810.diff","patch_url":"https://github.com/pypa/pip/pull/11810.patch","merged_at":null},"body":"added to secure-installs topic how to avoid dependency confusion, where is better use --index-url or --find-links with --no-index instead --extra-index-url.\r\n\r\nresolve: #11722\r\n\r\n\r\n","reactions":{"url":"https://api.github.com/repos/pypa/pip/issues/11810/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/pypa/pip/issues/11810/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/pypa/pip/issues/comments/1953311234","html_url":"https://github.com/pypa/pip/pull/11810#issuecomment-1953311234","issue_url":"https://api.github.com/repos/pypa/pip/issues/11810","id":1953311234,"node_id":"IC_kwDOABYSQ850bSoC","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-02-20T00:29:18Z","updated_at":"2024-02-20T00:29:18Z","author_association":"CONTRIBUTOR","body":"> Also, I'm not particularly happy about linking to a PDF file on a random Azure media URL\r\n\r\nYes. It's frustrating. Microsoft at some point removed the HTML version of their whitepaper. It is a really good white paper though... I think it may have been Nathaniel who we tried to reach out to Azure/Microsoft to restore the original, but I think somehow their research docs site has been moved or taken down and I can no longer find the HTML original. They do still link out to the PDF in a few places like this though: https://devblogs.microsoft.com/nuget/introducing-package-source-mapping/ But it's a nuget link, which also might be confusing?\r\n\r\nIt's a bit of a shame there isn't a high-quality and public source of what \"Dependency Confusion\" is. Here are some alternatives:\r\nhttps://www.activestate.com/resources/quick-reads/dependency-confusion/\r\nhttps://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/06/devops-threat-matrix/\r\n","reactions":{"url":"https://api.github.com/repos/pypa/pip/issues/comments/1953311234/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-02-20T00:29:19Z","org":{"id":647025,"login":"pypa","gravatar_id":"","url":"https://api.github.com/orgs/pypa","avatar_url":"https://avatars.githubusercontent.com/u/647025?"}},{"id":"35792806155","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":1446467,"name":"pypa/pip","url":"https://api.github.com/repos/pypa/pip"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/pypa/pip/issues/11810","repository_url":"https://api.github.com/repos/pypa/pip","labels_url":"https://api.github.com/repos/pypa/pip/issues/11810/labels{/name}","comments_url":"https://api.github.com/repos/pypa/pip/issues/11810/comments","events_url":"https://api.github.com/repos/pypa/pip/issues/11810/events","html_url":"https://github.com/pypa/pip/pull/11810","id":1592573501,"node_id":"PR_kwDOABYSQ85KYewG","number":11810,"title":"Describe how to avoid dependency confusion in \"secure installs\" topic","user":{"login":"fabiobarkoski","id":65479069,"node_id":"MDQ6VXNlcjY1NDc5MDY5","avatar_url":"https://avatars.githubusercontent.com/u/65479069?v=4","gravatar_id":"","url":"https://api.github.com/users/fabiobarkoski","html_url":"https://github.com/fabiobarkoski","followers_url":"https://api.github.com/users/fabiobarkoski/followers","following_url":"https://api.github.com/users/fabiobarkoski/following{/other_user}","gists_url":"https://api.github.com/users/fabiobarkoski/gists{/gist_id}","starred_url":"https://api.github.com/users/fabiobarkoski/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/fabiobarkoski/subscriptions","organizations_url":"https://api.github.com/users/fabiobarkoski/orgs","repos_url":"https://api.github.com/users/fabiobarkoski/repos","events_url":"https://api.github.com/users/fabiobarkoski/events{/privacy}","received_events_url":"https://api.github.com/users/fabiobarkoski/received_events","type":"User","site_admin":false},"labels":[{"id":6347889867,"node_id":"LA_kwDOABYSQ88AAAABel0cyw","url":"https://api.github.com/repos/pypa/pip/labels/bot:chronographer:provided","name":"bot:chronographer:provided","color":"ededed","default":false,"description":null}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":6,"created_at":"2023-02-20T23:55:22Z","updated_at":"2024-02-19T10:11:41Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"draft":false,"pull_request":{"url":"https://api.github.com/repos/pypa/pip/pulls/11810","html_url":"https://github.com/pypa/pip/pull/11810","diff_url":"https://github.com/pypa/pip/pull/11810.diff","patch_url":"https://github.com/pypa/pip/pull/11810.patch","merged_at":null},"body":"added to secure-installs topic how to avoid dependency confusion, where is better use --index-url or --find-links with --no-index instead --extra-index-url.\r\n\r\nresolve: #11722\r\n\r\n\r\n","reactions":{"url":"https://api.github.com/repos/pypa/pip/issues/11810/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/pypa/pip/issues/11810/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/pypa/pip/issues/comments/1952115558","html_url":"https://github.com/pypa/pip/pull/11810#issuecomment-1952115558","issue_url":"https://api.github.com/repos/pypa/pip/issues/11810","id":1952115558,"node_id":"IC_kwDOABYSQ850Wutm","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-02-19T10:11:39Z","updated_at":"2024-02-19T10:11:39Z","author_association":"CONTRIBUTOR","body":"Anything further required to merge this?","reactions":{"url":"https://api.github.com/repos/pypa/pip/issues/comments/1952115558/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-02-19T10:11:41Z","org":{"id":647025,"login":"pypa","gravatar_id":"","url":"https://api.github.com/orgs/pypa","avatar_url":"https://avatars.githubusercontent.com/u/647025?"}},{"id":"35790816380","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":699532645,"name":"astral-sh/uv","url":"https://api.github.com/repos/astral-sh/uv"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/astral-sh/uv/issues/171","repository_url":"https://api.github.com/repos/astral-sh/uv","labels_url":"https://api.github.com/repos/astral-sh/uv/issues/171/labels{/name}","comments_url":"https://api.github.com/repos/astral-sh/uv/issues/171/comments","events_url":"https://api.github.com/repos/astral-sh/uv/issues/171/events","html_url":"https://github.com/astral-sh/uv/issues/171","id":1957499537,"node_id":"I_kwDOKbIFZc50rRKR","number":171,"title":"Add support for pinning a package to a specific index","user":{"login":"charliermarsh","id":1309177,"node_id":"MDQ6VXNlcjEzMDkxNzc=","avatar_url":"https://avatars.githubusercontent.com/u/1309177?v=4","gravatar_id":"","url":"https://api.github.com/users/charliermarsh","html_url":"https://github.com/charliermarsh","followers_url":"https://api.github.com/users/charliermarsh/followers","following_url":"https://api.github.com/users/charliermarsh/following{/other_user}","gists_url":"https://api.github.com/users/charliermarsh/gists{/gist_id}","starred_url":"https://api.github.com/users/charliermarsh/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/charliermarsh/subscriptions","organizations_url":"https://api.github.com/users/charliermarsh/orgs","repos_url":"https://api.github.com/users/charliermarsh/repos","events_url":"https://api.github.com/users/charliermarsh/events{/privacy}","received_events_url":"https://api.github.com/users/charliermarsh/received_events","type":"User","site_admin":false},"labels":[{"id":6034754233,"node_id":"LA_kwDOKbIFZc8AAAABZ7MKuQ","url":"https://api.github.com/repos/astral-sh/uv/labels/enhancement","name":"enhancement","color":"a2eeef","default":true,"description":"New feature or request"},{"id":6124795102,"node_id":"LA_kwDOKbIFZc8AAAABbRD03g","url":"https://api.github.com/repos/astral-sh/uv/labels/wish","name":"wish","color":"CDFC48","default":false,"description":"Not required for milestone; nice-to-have"}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":{"url":"https://api.github.com/repos/astral-sh/uv/milestones/1","html_url":"https://github.com/astral-sh/uv/milestone/1","labels_url":"https://api.github.com/repos/astral-sh/uv/milestones/1/labels","id":10101294,"node_id":"MI_kwDOKbIFZc4AmiIu","number":1,"title":"Feature complete","description":"","creator":{"login":"charliermarsh","id":1309177,"node_id":"MDQ6VXNlcjEzMDkxNzc=","avatar_url":"https://avatars.githubusercontent.com/u/1309177?v=4","gravatar_id":"","url":"https://api.github.com/users/charliermarsh","html_url":"https://github.com/charliermarsh","followers_url":"https://api.github.com/users/charliermarsh/followers","following_url":"https://api.github.com/users/charliermarsh/following{/other_user}","gists_url":"https://api.github.com/users/charliermarsh/gists{/gist_id}","starred_url":"https://api.github.com/users/charliermarsh/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/charliermarsh/subscriptions","organizations_url":"https://api.github.com/users/charliermarsh/orgs","repos_url":"https://api.github.com/users/charliermarsh/repos","events_url":"https://api.github.com/users/charliermarsh/events{/privacy}","received_events_url":"https://api.github.com/users/charliermarsh/received_events","type":"User","site_admin":false},"open_issues":4,"closed_issues":41,"state":"open","created_at":"2023-10-24T19:17:34Z","updated_at":"2024-02-14T04:32:58Z","due_on":null,"closed_at":null},"comments":10,"created_at":"2023-10-23T15:59:07Z","updated_at":"2024-02-19T09:12:13Z","closed_at":null,"author_association":"MEMBER","active_lock_reason":null,"body":"Discussed this with Armin -- pip doesn't support it, and it seems like a big problem? If you have an internal index, but also want to get some packages from PyPI, there's no way to ensure that your internal packages come from your internal index. Packages on PyPI could even shadow them.","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/171/reactions","total_count":1,"+1":1,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/astral-sh/uv/issues/171/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1952005420","html_url":"https://github.com/astral-sh/uv/issues/171#issuecomment-1952005420","issue_url":"https://api.github.com/repos/astral-sh/uv/issues/171","id":1952005420,"node_id":"IC_kwDOKbIFZc50WT0s","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-02-19T09:12:12Z","updated_at":"2024-02-19T09:12:12Z","author_association":"NONE","body":"There’s a small security warning in the pip docs [here](https://pip.pypa.io/en/stable/cli/pip_install/#examples)\r\n\r\n`\r\nUsing this option to search for packages which are not in the main repository (such as private packages) is unsafe, per a security vulnerability called [dependency confusion](https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/): an attacker can claim the package on the public repository in a way that will ensure it gets chosen over the private package.\r\n`\r\n\r\nThere is also an in progress pip PR to make this more explicit here https://github.com/pypa/pip/issues/11694\r\n\r\nHere’s a major recent dependent confusion attack that impacted PyTorch (caused by instructions to use —extra-index-url) https://news.ycombinator.com/item?id=34202662\r\n\r\n\r\n\r\n","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1952005420/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-02-19T09:12:13Z","org":{"id":115962839,"login":"astral-sh","gravatar_id":"","url":"https://api.github.com/orgs/astral-sh","avatar_url":"https://avatars.githubusercontent.com/u/115962839?"}},{"id":"35787552331","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":699532645,"name":"astral-sh/uv","url":"https://api.github.com/repos/astral-sh/uv"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/astral-sh/uv/issues/1377","repository_url":"https://api.github.com/repos/astral-sh/uv","labels_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/labels{/name}","comments_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/comments","events_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/events","html_url":"https://github.com/astral-sh/uv/issues/1377","id":2137590671,"node_id":"I_kwDOKbIFZc5_aQuP","number":1377,"title":"uv fails to use extra index url","user":{"login":"pawamoy","id":3999221,"node_id":"MDQ6VXNlcjM5OTkyMjE=","avatar_url":"https://avatars.githubusercontent.com/u/3999221?v=4","gravatar_id":"","url":"https://api.github.com/users/pawamoy","html_url":"https://github.com/pawamoy","followers_url":"https://api.github.com/users/pawamoy/followers","following_url":"https://api.github.com/users/pawamoy/following{/other_user}","gists_url":"https://api.github.com/users/pawamoy/gists{/gist_id}","starred_url":"https://api.github.com/users/pawamoy/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/pawamoy/subscriptions","organizations_url":"https://api.github.com/users/pawamoy/orgs","repos_url":"https://api.github.com/users/pawamoy/repos","events_url":"https://api.github.com/users/pawamoy/events{/privacy}","received_events_url":"https://api.github.com/users/pawamoy/received_events","type":"User","site_admin":false},"labels":[{"id":6034754220,"node_id":"LA_kwDOKbIFZc8AAAABZ7MKrA","url":"https://api.github.com/repos/astral-sh/uv/labels/bug","name":"bug","color":"d73a4a","default":true,"description":"Something isn't working"}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":13,"created_at":"2024-02-15T23:03:26Z","updated_at":"2024-02-19T07:14:22Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"body":"I'm passing an extra index URL, but uv seems to only find package versions from PyPI.org.\r\n\r\nHere is a reproduction:\r\n\r\n```bash\r\n# Create an experimentation directory.\r\nmkdir repro-uv-extra-urls\r\ncd repro-uv-extra-urls\r\n\r\n# Run a local PyPI-like server.\r\nmkdir dists\r\npipx run pypiserver run dists --disable-fallback -p8000 -a. -P. &>/dev/null &\r\n\r\n# Create a pyproject.toml for a project called \"ruff\", version 1000.\r\ncat <pyproject.toml\r\n[project]\r\nname = \"ruff\"\r\nversion = \"1000\"\r\ndescription = \"Ruff from the future.\"\r\nauthors = [{name = \"Charlie Marsh\", email = \"charlie@marsh.com\"}]\r\nreadme = \"README.md\"\r\nrequires-python = \">=3.8\"\r\nclassifiers = [\"Development Status :: 1 - Planning\"]\r\nEOF\r\n\r\n# Create a README.md file.\r\ncat <README.md\r\n# Ruff\r\nHello.\r\nEOF\r\n\r\n# Build Python distributions for this package.\r\npipx run --spec build pyproject-build\r\n\r\n# Upload both wheel and sdist to our local PyPI-like index.\r\npipx run twine upload -u \"\" -p \"\" --repository-url http://localhost:8000 dist/*\r\n\r\n# Assert dists were uploaded.\r\n[ ! -f dists/ruff-1000-py3-none-any.whl ] && echo \"Wheel not uploaded\"\r\n[ ! -f dists/ruff-1000.tar.gz ] && echo \"Source distribution not uploaded\"\r\n\r\n# Create a venv.\r\nuv venv --seed\r\n\r\n# Assert uv fails to install ruff==1000\r\nuv pip install --extra-index-url http://localhost:8000/simple ruff==1000 && echo \"Working, not expected\" || echo \"Failing, as expected\"\r\n\r\n# Assert pip manages to install ruff==1000\r\n.venv/bin/pip install --extra-index-url http://localhost:8000/simple ruff==1000 && echo \"Working, as expected\" || echo \"Failing, not expected\"\r\n```","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/1377/reactions","total_count":4,"+1":4,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1951833892","html_url":"https://github.com/astral-sh/uv/issues/1377#issuecomment-1951833892","issue_url":"https://api.github.com/repos/astral-sh/uv/issues/1377","id":1951833892,"node_id":"IC_kwDOKbIFZc50Vp8k","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-02-19T07:14:21Z","updated_at":"2024-02-19T07:14:21Z","author_association":"NONE","body":"I don’t want to claim this as a general alternative to “—extra-index-url”, but it does often work for the common scenario of a single package on a different index. \r\n\r\nOne can use direct url references like so\r\n\r\n```\r\npython -m pip install 'SomeProject@https://my.package.repo/SomeProject-1.2.3-py33-none-any.whl'\r\n```\r\n\r\nAnother option I thought about to prevent making the same insecure mistake that pip did, might be to rename the flag to `—insecure-extra-index-url` so that at the very least the user is warned they may be vulnerable to dependency confusion attacks and should carefully consider the implications of what they are doing. ","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1951833892/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-02-19T07:14:23Z","org":{"id":115962839,"login":"astral-sh","gravatar_id":"","url":"https://api.github.com/orgs/astral-sh","avatar_url":"https://avatars.githubusercontent.com/u/115962839?"}},{"id":"35786757649","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":699532645,"name":"astral-sh/uv","url":"https://api.github.com/repos/astral-sh/uv"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/astral-sh/uv/issues/1377","repository_url":"https://api.github.com/repos/astral-sh/uv","labels_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/labels{/name}","comments_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/comments","events_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/events","html_url":"https://github.com/astral-sh/uv/issues/1377","id":2137590671,"node_id":"I_kwDOKbIFZc5_aQuP","number":1377,"title":"uv fails to use extra index url","user":{"login":"pawamoy","id":3999221,"node_id":"MDQ6VXNlcjM5OTkyMjE=","avatar_url":"https://avatars.githubusercontent.com/u/3999221?v=4","gravatar_id":"","url":"https://api.github.com/users/pawamoy","html_url":"https://github.com/pawamoy","followers_url":"https://api.github.com/users/pawamoy/followers","following_url":"https://api.github.com/users/pawamoy/following{/other_user}","gists_url":"https://api.github.com/users/pawamoy/gists{/gist_id}","starred_url":"https://api.github.com/users/pawamoy/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/pawamoy/subscriptions","organizations_url":"https://api.github.com/users/pawamoy/orgs","repos_url":"https://api.github.com/users/pawamoy/repos","events_url":"https://api.github.com/users/pawamoy/events{/privacy}","received_events_url":"https://api.github.com/users/pawamoy/received_events","type":"User","site_admin":false},"labels":[{"id":6034754220,"node_id":"LA_kwDOKbIFZc8AAAABZ7MKrA","url":"https://api.github.com/repos/astral-sh/uv/labels/bug","name":"bug","color":"d73a4a","default":true,"description":"Something isn't working"}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":12,"created_at":"2024-02-15T23:03:26Z","updated_at":"2024-02-19T06:37:54Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"body":"I'm passing an extra index URL, but uv seems to only find package versions from PyPI.org.\r\n\r\nHere is a reproduction:\r\n\r\n```bash\r\n# Create an experimentation directory.\r\nmkdir repro-uv-extra-urls\r\ncd repro-uv-extra-urls\r\n\r\n# Run a local PyPI-like server.\r\nmkdir dists\r\npipx run pypiserver run dists --disable-fallback -p8000 -a. -P. &>/dev/null &\r\n\r\n# Create a pyproject.toml for a project called \"ruff\", version 1000.\r\ncat <pyproject.toml\r\n[project]\r\nname = \"ruff\"\r\nversion = \"1000\"\r\ndescription = \"Ruff from the future.\"\r\nauthors = [{name = \"Charlie Marsh\", email = \"charlie@marsh.com\"}]\r\nreadme = \"README.md\"\r\nrequires-python = \">=3.8\"\r\nclassifiers = [\"Development Status :: 1 - Planning\"]\r\nEOF\r\n\r\n# Create a README.md file.\r\ncat <README.md\r\n# Ruff\r\nHello.\r\nEOF\r\n\r\n# Build Python distributions for this package.\r\npipx run --spec build pyproject-build\r\n\r\n# Upload both wheel and sdist to our local PyPI-like index.\r\npipx run twine upload -u \"\" -p \"\" --repository-url http://localhost:8000 dist/*\r\n\r\n# Assert dists were uploaded.\r\n[ ! -f dists/ruff-1000-py3-none-any.whl ] && echo \"Wheel not uploaded\"\r\n[ ! -f dists/ruff-1000.tar.gz ] && echo \"Source distribution not uploaded\"\r\n\r\n# Create a venv.\r\nuv venv --seed\r\n\r\n# Assert uv fails to install ruff==1000\r\nuv pip install --extra-index-url http://localhost:8000/simple ruff==1000 && echo \"Working, not expected\" || echo \"Failing, as expected\"\r\n\r\n# Assert pip manages to install ruff==1000\r\n.venv/bin/pip install --extra-index-url http://localhost:8000/simple ruff==1000 && echo \"Working, as expected\" || echo \"Failing, not expected\"\r\n```","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/1377/reactions","total_count":4,"+1":4,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1951795658","html_url":"https://github.com/astral-sh/uv/issues/1377#issuecomment-1951795658","issue_url":"https://api.github.com/repos/astral-sh/uv/issues/1377","id":1951795658,"node_id":"IC_kwDOKbIFZc50VgnK","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-02-19T06:37:54Z","updated_at":"2024-02-19T06:37:54Z","author_association":"NONE","body":"I am intentionally mentioning this comment because these 2 issues are related and can lead to significant security problems. \r\n\r\nhttps://github.com/astral-sh/uv/issues/171#issuecomment-1951663263","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1951795658/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-02-19T06:37:55Z","org":{"id":115962839,"login":"astral-sh","gravatar_id":"","url":"https://api.github.com/orgs/astral-sh","avatar_url":"https://avatars.githubusercontent.com/u/115962839?"}},{"id":"35784261132","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":699532645,"name":"astral-sh/uv","url":"https://api.github.com/repos/astral-sh/uv"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/astral-sh/uv/issues/171","repository_url":"https://api.github.com/repos/astral-sh/uv","labels_url":"https://api.github.com/repos/astral-sh/uv/issues/171/labels{/name}","comments_url":"https://api.github.com/repos/astral-sh/uv/issues/171/comments","events_url":"https://api.github.com/repos/astral-sh/uv/issues/171/events","html_url":"https://github.com/astral-sh/uv/issues/171","id":1957499537,"node_id":"I_kwDOKbIFZc50rRKR","number":171,"title":"Add support for pinning a package to a specific index","user":{"login":"charliermarsh","id":1309177,"node_id":"MDQ6VXNlcjEzMDkxNzc=","avatar_url":"https://avatars.githubusercontent.com/u/1309177?v=4","gravatar_id":"","url":"https://api.github.com/users/charliermarsh","html_url":"https://github.com/charliermarsh","followers_url":"https://api.github.com/users/charliermarsh/followers","following_url":"https://api.github.com/users/charliermarsh/following{/other_user}","gists_url":"https://api.github.com/users/charliermarsh/gists{/gist_id}","starred_url":"https://api.github.com/users/charliermarsh/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/charliermarsh/subscriptions","organizations_url":"https://api.github.com/users/charliermarsh/orgs","repos_url":"https://api.github.com/users/charliermarsh/repos","events_url":"https://api.github.com/users/charliermarsh/events{/privacy}","received_events_url":"https://api.github.com/users/charliermarsh/received_events","type":"User","site_admin":false},"labels":[{"id":6034754233,"node_id":"LA_kwDOKbIFZc8AAAABZ7MKuQ","url":"https://api.github.com/repos/astral-sh/uv/labels/enhancement","name":"enhancement","color":"a2eeef","default":true,"description":"New feature or request"},{"id":6124795102,"node_id":"LA_kwDOKbIFZc8AAAABbRD03g","url":"https://api.github.com/repos/astral-sh/uv/labels/wish","name":"wish","color":"CDFC48","default":false,"description":"Not required for milestone; nice-to-have"}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":{"url":"https://api.github.com/repos/astral-sh/uv/milestones/1","html_url":"https://github.com/astral-sh/uv/milestone/1","labels_url":"https://api.github.com/repos/astral-sh/uv/milestones/1/labels","id":10101294,"node_id":"MI_kwDOKbIFZc4AmiIu","number":1,"title":"Feature complete","description":"","creator":{"login":"charliermarsh","id":1309177,"node_id":"MDQ6VXNlcjEzMDkxNzc=","avatar_url":"https://avatars.githubusercontent.com/u/1309177?v=4","gravatar_id":"","url":"https://api.github.com/users/charliermarsh","html_url":"https://github.com/charliermarsh","followers_url":"https://api.github.com/users/charliermarsh/followers","following_url":"https://api.github.com/users/charliermarsh/following{/other_user}","gists_url":"https://api.github.com/users/charliermarsh/gists{/gist_id}","starred_url":"https://api.github.com/users/charliermarsh/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/charliermarsh/subscriptions","organizations_url":"https://api.github.com/users/charliermarsh/orgs","repos_url":"https://api.github.com/users/charliermarsh/repos","events_url":"https://api.github.com/users/charliermarsh/events{/privacy}","received_events_url":"https://api.github.com/users/charliermarsh/received_events","type":"User","site_admin":false},"open_issues":4,"closed_issues":41,"state":"open","created_at":"2023-10-24T19:17:34Z","updated_at":"2024-02-14T04:32:58Z","due_on":null,"closed_at":null},"comments":7,"created_at":"2023-10-23T15:59:07Z","updated_at":"2024-02-19T04:16:27Z","closed_at":null,"author_association":"MEMBER","active_lock_reason":null,"body":"Discussed this with Armin -- pip doesn't support it, and it seems like a big problem? If you have an internal index, but also want to get some packages from PyPI, there's no way to ensure that your internal packages come from your internal index. Packages on PyPI could even shadow them.","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/171/reactions","total_count":1,"+1":1,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/astral-sh/uv/issues/171/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1951663263","html_url":"https://github.com/astral-sh/uv/issues/171#issuecomment-1951663263","issue_url":"https://api.github.com/repos/astral-sh/uv/issues/171","id":1951663263,"node_id":"IC_kwDOKbIFZc50VASf","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-02-19T04:16:26Z","updated_at":"2024-02-19T04:16:26Z","author_association":"NONE","body":"Makes sense. \r\n\r\nI think you may receive a lot of duplicate feature requests from the folks who do misuse `--extra-index-url` and who aren't aware that it is not currently intended to be used to append additional sources of dependencies, it's purpose is to provide a set of fallback mirrors of the primary index (`--index-url`) which is PyPI in the general case.\r\n\r\nWe may need to consider offering some help as mentioned in the PEP to move this along.\r\n\r\nIn the short-term, if you don't want to bug-for-bug implement pip, we may need to point people at alternatives like https://github.com/uranusjr/simpleindex to help them merge indexes behind the scenes on localhost. I don't think many will like it 😂 ","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1951663263/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-02-19T04:16:27Z","org":{"id":115962839,"login":"astral-sh","gravatar_id":"","url":"https://api.github.com/orgs/astral-sh","avatar_url":"https://avatars.githubusercontent.com/u/115962839?"}},{"id":"35782946428","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":699532645,"name":"astral-sh/uv","url":"https://api.github.com/repos/astral-sh/uv"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/astral-sh/uv/issues/171","repository_url":"https://api.github.com/repos/astral-sh/uv","labels_url":"https://api.github.com/repos/astral-sh/uv/issues/171/labels{/name}","comments_url":"https://api.github.com/repos/astral-sh/uv/issues/171/comments","events_url":"https://api.github.com/repos/astral-sh/uv/issues/171/events","html_url":"https://github.com/astral-sh/uv/issues/171","id":1957499537,"node_id":"I_kwDOKbIFZc50rRKR","number":171,"title":"Add support for pinning a package to a specific index","user":{"login":"charliermarsh","id":1309177,"node_id":"MDQ6VXNlcjEzMDkxNzc=","avatar_url":"https://avatars.githubusercontent.com/u/1309177?v=4","gravatar_id":"","url":"https://api.github.com/users/charliermarsh","html_url":"https://github.com/charliermarsh","followers_url":"https://api.github.com/users/charliermarsh/followers","following_url":"https://api.github.com/users/charliermarsh/following{/other_user}","gists_url":"https://api.github.com/users/charliermarsh/gists{/gist_id}","starred_url":"https://api.github.com/users/charliermarsh/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/charliermarsh/subscriptions","organizations_url":"https://api.github.com/users/charliermarsh/orgs","repos_url":"https://api.github.com/users/charliermarsh/repos","events_url":"https://api.github.com/users/charliermarsh/events{/privacy}","received_events_url":"https://api.github.com/users/charliermarsh/received_events","type":"User","site_admin":false},"labels":[{"id":6034754233,"node_id":"LA_kwDOKbIFZc8AAAABZ7MKuQ","url":"https://api.github.com/repos/astral-sh/uv/labels/enhancement","name":"enhancement","color":"a2eeef","default":true,"description":"New feature or request"},{"id":6124795102,"node_id":"LA_kwDOKbIFZc8AAAABbRD03g","url":"https://api.github.com/repos/astral-sh/uv/labels/wish","name":"wish","color":"CDFC48","default":false,"description":"Not required for milestone; nice-to-have"}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":{"url":"https://api.github.com/repos/astral-sh/uv/milestones/1","html_url":"https://github.com/astral-sh/uv/milestone/1","labels_url":"https://api.github.com/repos/astral-sh/uv/milestones/1/labels","id":10101294,"node_id":"MI_kwDOKbIFZc4AmiIu","number":1,"title":"Feature complete","description":"","creator":{"login":"charliermarsh","id":1309177,"node_id":"MDQ6VXNlcjEzMDkxNzc=","avatar_url":"https://avatars.githubusercontent.com/u/1309177?v=4","gravatar_id":"","url":"https://api.github.com/users/charliermarsh","html_url":"https://github.com/charliermarsh","followers_url":"https://api.github.com/users/charliermarsh/followers","following_url":"https://api.github.com/users/charliermarsh/following{/other_user}","gists_url":"https://api.github.com/users/charliermarsh/gists{/gist_id}","starred_url":"https://api.github.com/users/charliermarsh/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/charliermarsh/subscriptions","organizations_url":"https://api.github.com/users/charliermarsh/orgs","repos_url":"https://api.github.com/users/charliermarsh/repos","events_url":"https://api.github.com/users/charliermarsh/events{/privacy}","received_events_url":"https://api.github.com/users/charliermarsh/received_events","type":"User","site_admin":false},"open_issues":4,"closed_issues":41,"state":"open","created_at":"2023-10-24T19:17:34Z","updated_at":"2024-02-14T04:32:58Z","due_on":null,"closed_at":null},"comments":5,"created_at":"2023-10-23T15:59:07Z","updated_at":"2024-02-19T02:43:58Z","closed_at":null,"author_association":"MEMBER","active_lock_reason":null,"body":"Discussed this with Armin -- pip doesn't support it, and it seems like a big problem? If you have an internal index, but also want to get some packages from PyPI, there's no way to ensure that your internal packages come from your internal index. Packages on PyPI could even shadow them.","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/171/reactions","total_count":1,"+1":1,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/astral-sh/uv/issues/171/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1951599499","html_url":"https://github.com/astral-sh/uv/issues/171#issuecomment-1951599499","issue_url":"https://api.github.com/repos/astral-sh/uv/issues/171","id":1951599499,"node_id":"IC_kwDOKbIFZc50UwuL","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-02-19T02:43:57Z","updated_at":"2024-02-19T02:43:57Z","author_association":"NONE","body":"Please consider dependency confusion attacks: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610\r\n\r\nUse of `--extra-index-url` as they are presently used are a security vulnerability. \r\n\r\n[PEP 708](https://peps.python.org/pep-0708/) is a yet-to-be-implemented approach to improving the security posture.","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1951599499/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-02-19T02:43:58Z","org":{"id":115962839,"login":"astral-sh","gravatar_id":"","url":"https://api.github.com/orgs/astral-sh","avatar_url":"https://avatars.githubusercontent.com/u/115962839?"}},{"id":"35782926384","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":699532645,"name":"astral-sh/uv","url":"https://api.github.com/repos/astral-sh/uv"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/astral-sh/uv/issues/1377","repository_url":"https://api.github.com/repos/astral-sh/uv","labels_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/labels{/name}","comments_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/comments","events_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/events","html_url":"https://github.com/astral-sh/uv/issues/1377","id":2137590671,"node_id":"I_kwDOKbIFZc5_aQuP","number":1377,"title":"uv fails to use extra index url","user":{"login":"pawamoy","id":3999221,"node_id":"MDQ6VXNlcjM5OTkyMjE=","avatar_url":"https://avatars.githubusercontent.com/u/3999221?v=4","gravatar_id":"","url":"https://api.github.com/users/pawamoy","html_url":"https://github.com/pawamoy","followers_url":"https://api.github.com/users/pawamoy/followers","following_url":"https://api.github.com/users/pawamoy/following{/other_user}","gists_url":"https://api.github.com/users/pawamoy/gists{/gist_id}","starred_url":"https://api.github.com/users/pawamoy/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/pawamoy/subscriptions","organizations_url":"https://api.github.com/users/pawamoy/orgs","repos_url":"https://api.github.com/users/pawamoy/repos","events_url":"https://api.github.com/users/pawamoy/events{/privacy}","received_events_url":"https://api.github.com/users/pawamoy/received_events","type":"User","site_admin":false},"labels":[{"id":6034754220,"node_id":"LA_kwDOKbIFZc8AAAABZ7MKrA","url":"https://api.github.com/repos/astral-sh/uv/labels/bug","name":"bug","color":"d73a4a","default":true,"description":"Something isn't working"}],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":10,"created_at":"2024-02-15T23:03:26Z","updated_at":"2024-02-19T02:42:29Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"body":"I'm passing an extra index URL, but uv seems to only find package versions from PyPI.org.\r\n\r\nHere is a reproduction:\r\n\r\n```bash\r\n# Create an experimentation directory.\r\nmkdir repro-uv-extra-urls\r\ncd repro-uv-extra-urls\r\n\r\n# Run a local PyPI-like server.\r\nmkdir dists\r\npipx run pypiserver run dists --disable-fallback -p8000 -a. -P. &>/dev/null &\r\n\r\n# Create a pyproject.toml for a project called \"ruff\", version 1000.\r\ncat <pyproject.toml\r\n[project]\r\nname = \"ruff\"\r\nversion = \"1000\"\r\ndescription = \"Ruff from the future.\"\r\nauthors = [{name = \"Charlie Marsh\", email = \"charlie@marsh.com\"}]\r\nreadme = \"README.md\"\r\nrequires-python = \">=3.8\"\r\nclassifiers = [\"Development Status :: 1 - Planning\"]\r\nEOF\r\n\r\n# Create a README.md file.\r\ncat <README.md\r\n# Ruff\r\nHello.\r\nEOF\r\n\r\n# Build Python distributions for this package.\r\npipx run --spec build pyproject-build\r\n\r\n# Upload both wheel and sdist to our local PyPI-like index.\r\npipx run twine upload -u \"\" -p \"\" --repository-url http://localhost:8000 dist/*\r\n\r\n# Assert dists were uploaded.\r\n[ ! -f dists/ruff-1000-py3-none-any.whl ] && echo \"Wheel not uploaded\"\r\n[ ! -f dists/ruff-1000.tar.gz ] && echo \"Source distribution not uploaded\"\r\n\r\n# Create a venv.\r\nuv venv --seed\r\n\r\n# Assert uv fails to install ruff==1000\r\nuv pip install --extra-index-url http://localhost:8000/simple ruff==1000 && echo \"Working, not expected\" || echo \"Failing, as expected\"\r\n\r\n# Assert pip manages to install ruff==1000\r\n.venv/bin/pip install --extra-index-url http://localhost:8000/simple ruff==1000 && echo \"Working, as expected\" || echo \"Failing, not expected\"\r\n```","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/1377/reactions","total_count":4,"+1":4,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/astral-sh/uv/issues/1377/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1951598546","html_url":"https://github.com/astral-sh/uv/issues/1377#issuecomment-1951598546","issue_url":"https://api.github.com/repos/astral-sh/uv/issues/1377","id":1951598546,"node_id":"IC_kwDOKbIFZc50UwfS","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-02-19T02:42:28Z","updated_at":"2024-02-19T02:42:28Z","author_association":"NONE","body":"Please consider dependency confusion attacks: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610\r\n\r\nUse of `--extra-index-url` as they are presently used are a security vulnerability. \r\n\r\n[PEP 708](https://peps.python.org/pep-0708/) is a yet-to-be-implemented approach to improving the security posture.","reactions":{"url":"https://api.github.com/repos/astral-sh/uv/issues/comments/1951598546/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-02-19T02:42:30Z","org":{"id":115962839,"login":"astral-sh","gravatar_id":"","url":"https://api.github.com/orgs/astral-sh","avatar_url":"https://avatars.githubusercontent.com/u/115962839?"}},{"id":"35752234198","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":101780532,"name":"bazelbuild/rules_python","url":"https://api.github.com/repos/bazelbuild/rules_python"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463","repository_url":"https://api.github.com/repos/bazelbuild/rules_python","labels_url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463/labels{/name}","comments_url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463/comments","events_url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463/events","html_url":"https://github.com/bazelbuild/rules_python/issues/1463","id":1928661584,"node_id":"I_kwDOBhEMNM5y9QpQ","number":1463,"title":"`pip_parse` using hermetic python interpreter is failing","user":{"login":"wsoesanto-arbo","id":122245497,"node_id":"U_kgDOB0lReQ","avatar_url":"https://avatars.githubusercontent.com/u/122245497?v=4","gravatar_id":"","url":"https://api.github.com/users/wsoesanto-arbo","html_url":"https://github.com/wsoesanto-arbo","followers_url":"https://api.github.com/users/wsoesanto-arbo/followers","following_url":"https://api.github.com/users/wsoesanto-arbo/following{/other_user}","gists_url":"https://api.github.com/users/wsoesanto-arbo/gists{/gist_id}","starred_url":"https://api.github.com/users/wsoesanto-arbo/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/wsoesanto-arbo/subscriptions","organizations_url":"https://api.github.com/users/wsoesanto-arbo/orgs","repos_url":"https://api.github.com/users/wsoesanto-arbo/repos","events_url":"https://api.github.com/users/wsoesanto-arbo/events{/privacy}","received_events_url":"https://api.github.com/users/wsoesanto-arbo/received_events","type":"User","site_admin":false},"labels":[],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":10,"created_at":"2023-10-05T16:24:30Z","updated_at":"2024-02-16T21:54:08Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"body":"# 🐞 bug report\r\n\r\n### Affected Rule\r\n\r\nThe issue is caused by the rule: `pip_parse`\r\n\r\n\r\n### Is this a regression?\r\n\r\nNot certain.\r\n\r\n### Description\r\n\r\nI am getting compilation error when it's trying to build wheel dependency.\r\n\r\nIt doesn't throw an error when I left out `python_interpreter_target` attribute of `pip_parse`.\r\n\r\n## 🔬 Minimal Reproduction\r\n\r\nRepository link can be seen here: https://github.com/wsoesanto-arbo/rules_python-pipcompile\r\n\r\nWORKSPACE\r\n\r\n```\r\nload(\"@bazel_tools//tools/build_defs/repo:http.bzl\", \"http_archive\", \"http_file\")\r\n\r\nhttp_archive(\r\n name = \"rules_python\",\r\n sha256 = \"5868e73107a8e85d8f323806e60cad7283f34b32163ea6ff1020cf27abef6036\",\r\n strip_prefix = \"rules_python-0.25.0\",\r\n url = \"https://github.com/bazelbuild/rules_python/releases/download/0.25.0/rules_python-0.25.0.tar.gz\",\r\n)\r\nload(\"@rules_python//python:repositories.bzl\", \"py_repositories\")\r\n\r\npy_repositories()\r\n\r\nload(\"@rules_python//python:repositories.bzl\", \"python_register_toolchains\")\r\n\r\npython_register_toolchains(\r\n name = \"python_toolchain\",\r\n python_version = \"3.11\",\r\n)\r\n\r\nload(\"@python_toolchain//:defs.bzl\", \"interpreter\")\r\nload(\"@rules_python//python:pip.bzl\", \"pip_parse\")\r\n\r\npip_parse(\r\n name = \"pip\",\r\n python_interpreter_target = interpreter,\r\n requirements_lock = \"@//:requirements.txt\",\r\n)\r\nload(\"@pip//:requirements.bzl\", \"install_deps\")\r\ninstall_deps()\r\n```\r\n\r\nBUILD\r\n\r\n```\r\nload(\"@rules_python//python:pip.bzl\", \"compile_pip_requirements\")\r\n\r\ncompile_pip_requirements(\r\n name = \"requirements\",\r\n requirements_in = \"requirements.in\",\r\n requirements_txt = \"requirements.txt\",\r\n)\r\n```\r\n\r\nrequirements.in\r\n\r\n```\r\nhnswlib==0.7.0\r\n```\r\n\r\nrequirements.txt\r\n```\r\n#\r\n# This file is autogenerated by pip-compile with Python 3.11\r\n# by the following command:\r\n#\r\n# bazel run //:requirements.update\r\n#\r\nhnswlib==0.7.0 \\\r\n --hash=sha256:bc459668e7e44bb7454b256b90c98c5af750653919d9a91698dafcf416cf64c4\r\n # via -r requirements.in\r\nnumpy==1.22.4 \\\r\n --hash=sha256:0791fbd1e43bf74b3502133207e378901272f3c156c4df4954cad833b1380207 \\\r\n --hash=sha256:1ce7ab2053e36c0a71e7a13a7475bd3b1f54750b4b433adc96313e127b870887 \\\r\n --hash=sha256:2d487e06ecbf1dc2f18e7efce82ded4f705f4bd0cd02677ffccfb39e5c284c7e \\\r\n --hash=sha256:37431a77ceb9307c28382c9773da9f306435135fae6b80b62a11c53cfedd8802 \\\r\n --hash=sha256:3e1ffa4748168e1cc8d3cde93f006fe92b5421396221a02f2274aab6ac83b077 \\\r\n --hash=sha256:425b390e4619f58d8526b3dcf656dde069133ae5c240229821f01b5f44ea07af \\\r\n --hash=sha256:43a8ca7391b626b4c4fe20aefe79fec683279e31e7c79716863b4b25021e0e74 \\\r\n --hash=sha256:4c6036521f11a731ce0648f10c18ae66d7143865f19f7299943c985cdc95afb5 \\\r\n --hash=sha256:59d55e634968b8f77d3fd674a3cf0b96e85147cd6556ec64ade018f27e9479e1 \\\r\n --hash=sha256:64f56fc53a2d18b1924abd15745e30d82a5782b2cab3429aceecc6875bd5add0 \\\r\n --hash=sha256:7228ad13744f63575b3a972d7ee4fd61815b2879998e70930d4ccf9ec721dce0 \\\r\n --hash=sha256:9ce7df0abeabe7fbd8ccbf343dc0db72f68549856b863ae3dd580255d009648e \\\r\n --hash=sha256:a911e317e8c826ea632205e63ed8507e0dc877dcdc49744584dfc363df9ca08c \\\r\n --hash=sha256:b89bf9b94b3d624e7bb480344e91f68c1c6c75f026ed6755955117de00917a7c \\\r\n --hash=sha256:ba9ead61dfb5d971d77b6c131a9dbee62294a932bf6a356e48c75ae684e635b3 \\\r\n --hash=sha256:c1d937820db6e43bec43e8d016b9b3165dcb42892ea9f106c70fb13d430ffe72 \\\r\n --hash=sha256:cc7f00008eb7d3f2489fca6f334ec19ca63e31371be28fd5dad955b16ec285bd \\\r\n --hash=sha256:d4c5d5eb2ec8da0b4f50c9a843393971f31f1d60be87e0fb0917a49133d257d6 \\\r\n --hash=sha256:e96d7f3096a36c8754207ab89d4b3282ba7b49ea140e4973591852c77d09eb76 \\\r\n --hash=sha256:f0725df166cf4785c0bc4cbfb320203182b1ecd30fee6e541c8752a92df6aa32 \\\r\n --hash=sha256:f3eb268dbd5cfaffd9448113539e44e2dd1c5ca9ce25576f7c04a5453edc26fa \\\r\n --hash=sha256:fb7a980c81dd932381f8228a426df8aeb70d59bbcda2af075b627bbc50207cba\r\n # via hnswlib\r\n```\r\n\r\n\r\n## 🔥 Exception or Error\r\n\r\n\r\nERROR: whl_library pip_hnswlib failed: Collecting hnswlib==0.7.0\r\n Using cached hnswlib-0.7.0.tar.gz (33 kB)\r\n Installing build dependencies: started\r\n Installing build dependencies: finished with status 'done'\r\n Getting requirements to build wheel: started\r\n Getting requirements to build wheel: finished with status 'done'\r\n Preparing metadata (pyproject.toml): started\r\n Preparing metadata (pyproject.toml): finished with status 'done'\r\nBuilding wheels for collected packages: hnswlib\r\n Building wheel for hnswlib (pyproject.toml): started\r\n Building wheel for hnswlib (pyproject.toml): finished with status 'error'\r\nFailed to build hnswlib\r\n ( error: subprocess-exited-with-error\r\n \r\n × Building wheel for hnswlib (pyproject.toml) did not run successfully.\r\n │ exit code: 1\r\n ╰─> [60 lines of output]\r\n running bdist_wheel\r\n running build\r\n running build_ext\r\n creating tmp\r\n clang -pthread -Wsign-compare -Wunreachable-code -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -I/tools/deps/include -I/tools/deps/include/ncursesw -I/tools/deps/libedit/include -g0 -isystem /home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/include/python3.11 -fPIC -I/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/include/python3.11 -c /tmp/tmpppym8vfq.cpp -o tmp/tmpppym8vfq.o -std=c++14\r\n clang -pthread -Wsign-compare -Wunreachable-code -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -I/tools/deps/include -I/tools/deps/include/ncursesw -I/tools/deps/libedit/include -g0 -isystem /home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/include/python3.11 -fPIC -I/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/include/python3.11 -c /tmp/tmpfsblc_fc.cpp -o tmp/tmpfsblc_fc.o -std=c++11\r\n Traceback (most recent call last):\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/pypi__pip/pip/_vendor/pep517/in_process/_in_process.py\", line 351, in \r\n main()\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/pypi__pip/pip/_vendor/pep517/in_process/_in_process.py\", line 333, in main\r\n json_out['return_val'] = hook(**hook_input['kwargs'])\r\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/pypi__pip/pip/_vendor/pep517/in_process/_in_process.py\", line 249, in build_wheel\r\n return _build_backend().build_wheel(wheel_directory, config_settings,\r\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/build_meta.py\", line 434, in build_wheel\r\n return self._build_with_temp_dir(\r\n ^^^^^^^^^^^^^^^^^^^^^^^^^^\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/build_meta.py\", line 419, in _build_with_temp_dir\r\n self.run_setup()\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/build_meta.py\", line 341, in run_setup\r\n exec(code, locals())\r\n File \"\", line 116, in \r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/__init__.py\", line 103, in setup\r\n return distutils.core.setup(**attrs)\r\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/core.py\", line 185, in setup\r\n return run_commands(dist)\r\n ^^^^^^^^^^^^^^^^^^\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/core.py\", line 201, in run_commands\r\n dist.run_commands()\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/dist.py\", line 969, in run_commands\r\n self.run_command(cmd)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/dist.py\", line 989, in run_command\r\n super().run_command(command)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/dist.py\", line 988, in run_command\r\n cmd_obj.run()\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/wheel/bdist_wheel.py\", line 364, in run\r\n self.run_command(\"build\")\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/cmd.py\", line 318, in run_command\r\n self.distribution.run_command(command)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/dist.py\", line 989, in run_command\r\n super().run_command(command)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/dist.py\", line 988, in run_command\r\n cmd_obj.run()\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/command/build.py\", line 131, in run\r\n self.run_command(cmd_name)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/cmd.py\", line 318, in run_command\r\n self.distribution.run_command(command)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/dist.py\", line 989, in run_command\r\n super().run_command(command)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/dist.py\", line 988, in run_command\r\n cmd_obj.run()\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/command/build_ext.py\", line 88, in run\r\n _build_ext.run(self)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/command/build_ext.py\", line 345, in run\r\n self.build_extensions()\r\n File \"\", line 103, in build_extensions\r\n File \"\", line 70, in cpp_flag\r\n RuntimeError: Unsupported compiler -- at least C++11 support is needed!\r\n [end of output]\r\n \r\n note: This error originates from a subprocess, and is likely not a problem with pip.\r\n ERROR: Failed building wheel for hnswlib\r\nERROR: Failed to build one or more wheels\r\nTraceback (most recent call last):\r\n File \"\", line 198, in _run_module_as_main\r\n File \"\", line 88, in _run_code\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/rules_python/python/pip_install/tools/wheel_installer/wheel_installer.py\", line 200, in \r\n main()\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/rules_python/python/pip_install/tools/wheel_installer/wheel_installer.py\", line 180, in main\r\n subprocess.run(pip_args, check=True, env=env)\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/lib/python3.11/subprocess.py\", line 571, in run\r\n raise CalledProcessError(retcode, process.args,\r\nsubprocess.CalledProcessError: Command '['/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/bin/python3', '-m', 'pip', '--isolated', 'wheel', '--no-deps', '-r', '/tmp/tmpp_pe0eg3']' returned non-zero exit status 1.\r\n) error code: '1'\r\nINFO: Elapsed time: 7.490s\r\nINFO: 0 processes.\r\nFAILED: Build did NOT complete successfully (0 packages loaded)\r\n\r\n
\r\n\r\n## 🌍 Your Environment\r\n\r\n**Operating System:**\r\n\r\n\r\n \r\n(dataworks) ➜ rules_python-pipcompile git:(master) uname -a\r\nLinux sg-dev-willy 5.15.0-83-generic #92~20.04.1-Ubuntu SMP Mon Aug 21 14:00:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux\r\n
\r\n
\r\n\r\n**Output of `bazel version`:**\r\n\r\n\r\n \r\n(dataworks) ➜ rules_python-pipcompile git:(master) bazel version\r\nBuild label: 6.3.2\r\nBuild target: bazel-out/k8-opt/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar\r\nBuild time: Tue Aug 8 15:48:33 2023 (1691509713)\r\nBuild timestamp: 1691509713\r\nBuild timestamp as int: 1691509713\r\n
\r\n
\r\n\r\n**Rules_python version:**\r\n\r\n\r\n \r\n0.25.0\r\n
\r\n
\r\n\r\n**Anything else relevant?**\r\n\r\nNothing else. Please do let me know if I can provide more information.","reactions":{"url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/bazelbuild/rules_python/issues/comments/1949387114","html_url":"https://github.com/bazelbuild/rules_python/issues/1463#issuecomment-1949387114","issue_url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463","id":1949387114,"node_id":"IC_kwDOBhEMNM50MUlq","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-02-16T21:54:07Z","updated_at":"2024-02-16T21:54:07Z","author_association":"COLLABORATOR","body":"I think in these scenarios, the best option is generally to work with and support the upstream package (eg pcslite) to fix packaging errors or make their packages easier to build. It may also be possible to get them to publish wheels using projects like https://github.com/pypa/cibuildwheel","reactions":{"url":"https://api.github.com/repos/bazelbuild/rules_python/issues/comments/1949387114/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-02-16T21:54:09Z","org":{"id":11684617,"login":"bazelbuild","gravatar_id":"","url":"https://api.github.com/orgs/bazelbuild","avatar_url":"https://avatars.githubusercontent.com/u/11684617?"}},{"id":"35697621515","type":"IssueCommentEvent","actor":{"id":343415,"login":"groodt","display_login":"groodt","gravatar_id":"","url":"https://api.github.com/users/groodt","avatar_url":"https://avatars.githubusercontent.com/u/343415?"},"repo":{"id":101780532,"name":"bazelbuild/rules_python","url":"https://api.github.com/repos/bazelbuild/rules_python"},"payload":{"action":"created","issue":{"url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463","repository_url":"https://api.github.com/repos/bazelbuild/rules_python","labels_url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463/labels{/name}","comments_url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463/comments","events_url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463/events","html_url":"https://github.com/bazelbuild/rules_python/issues/1463","id":1928661584,"node_id":"I_kwDOBhEMNM5y9QpQ","number":1463,"title":"`pip_parse` using hermetic python interpreter is failing","user":{"login":"wsoesanto-arbo","id":122245497,"node_id":"U_kgDOB0lReQ","avatar_url":"https://avatars.githubusercontent.com/u/122245497?v=4","gravatar_id":"","url":"https://api.github.com/users/wsoesanto-arbo","html_url":"https://github.com/wsoesanto-arbo","followers_url":"https://api.github.com/users/wsoesanto-arbo/followers","following_url":"https://api.github.com/users/wsoesanto-arbo/following{/other_user}","gists_url":"https://api.github.com/users/wsoesanto-arbo/gists{/gist_id}","starred_url":"https://api.github.com/users/wsoesanto-arbo/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/wsoesanto-arbo/subscriptions","organizations_url":"https://api.github.com/users/wsoesanto-arbo/orgs","repos_url":"https://api.github.com/users/wsoesanto-arbo/repos","events_url":"https://api.github.com/users/wsoesanto-arbo/events{/privacy}","received_events_url":"https://api.github.com/users/wsoesanto-arbo/received_events","type":"User","site_admin":false},"labels":[],"state":"open","locked":false,"assignee":null,"assignees":[],"milestone":null,"comments":6,"created_at":"2023-10-05T16:24:30Z","updated_at":"2024-02-15T09:28:57Z","closed_at":null,"author_association":"NONE","active_lock_reason":null,"body":"# 🐞 bug report\r\n\r\n### Affected Rule\r\n\r\nThe issue is caused by the rule: `pip_parse`\r\n\r\n\r\n### Is this a regression?\r\n\r\nNot certain.\r\n\r\n### Description\r\n\r\nI am getting compilation error when it's trying to build wheel dependency.\r\n\r\nIt doesn't throw an error when I left out `python_interpreter_target` attribute of `pip_parse`.\r\n\r\n## 🔬 Minimal Reproduction\r\n\r\nRepository link can be seen here: https://github.com/wsoesanto-arbo/rules_python-pipcompile\r\n\r\nWORKSPACE\r\n\r\n```\r\nload(\"@bazel_tools//tools/build_defs/repo:http.bzl\", \"http_archive\", \"http_file\")\r\n\r\nhttp_archive(\r\n name = \"rules_python\",\r\n sha256 = \"5868e73107a8e85d8f323806e60cad7283f34b32163ea6ff1020cf27abef6036\",\r\n strip_prefix = \"rules_python-0.25.0\",\r\n url = \"https://github.com/bazelbuild/rules_python/releases/download/0.25.0/rules_python-0.25.0.tar.gz\",\r\n)\r\nload(\"@rules_python//python:repositories.bzl\", \"py_repositories\")\r\n\r\npy_repositories()\r\n\r\nload(\"@rules_python//python:repositories.bzl\", \"python_register_toolchains\")\r\n\r\npython_register_toolchains(\r\n name = \"python_toolchain\",\r\n python_version = \"3.11\",\r\n)\r\n\r\nload(\"@python_toolchain//:defs.bzl\", \"interpreter\")\r\nload(\"@rules_python//python:pip.bzl\", \"pip_parse\")\r\n\r\npip_parse(\r\n name = \"pip\",\r\n python_interpreter_target = interpreter,\r\n requirements_lock = \"@//:requirements.txt\",\r\n)\r\nload(\"@pip//:requirements.bzl\", \"install_deps\")\r\ninstall_deps()\r\n```\r\n\r\nBUILD\r\n\r\n```\r\nload(\"@rules_python//python:pip.bzl\", \"compile_pip_requirements\")\r\n\r\ncompile_pip_requirements(\r\n name = \"requirements\",\r\n requirements_in = \"requirements.in\",\r\n requirements_txt = \"requirements.txt\",\r\n)\r\n```\r\n\r\nrequirements.in\r\n\r\n```\r\nhnswlib==0.7.0\r\n```\r\n\r\nrequirements.txt\r\n```\r\n#\r\n# This file is autogenerated by pip-compile with Python 3.11\r\n# by the following command:\r\n#\r\n# bazel run //:requirements.update\r\n#\r\nhnswlib==0.7.0 \\\r\n --hash=sha256:bc459668e7e44bb7454b256b90c98c5af750653919d9a91698dafcf416cf64c4\r\n # via -r requirements.in\r\nnumpy==1.22.4 \\\r\n --hash=sha256:0791fbd1e43bf74b3502133207e378901272f3c156c4df4954cad833b1380207 \\\r\n --hash=sha256:1ce7ab2053e36c0a71e7a13a7475bd3b1f54750b4b433adc96313e127b870887 \\\r\n --hash=sha256:2d487e06ecbf1dc2f18e7efce82ded4f705f4bd0cd02677ffccfb39e5c284c7e \\\r\n --hash=sha256:37431a77ceb9307c28382c9773da9f306435135fae6b80b62a11c53cfedd8802 \\\r\n --hash=sha256:3e1ffa4748168e1cc8d3cde93f006fe92b5421396221a02f2274aab6ac83b077 \\\r\n --hash=sha256:425b390e4619f58d8526b3dcf656dde069133ae5c240229821f01b5f44ea07af \\\r\n --hash=sha256:43a8ca7391b626b4c4fe20aefe79fec683279e31e7c79716863b4b25021e0e74 \\\r\n --hash=sha256:4c6036521f11a731ce0648f10c18ae66d7143865f19f7299943c985cdc95afb5 \\\r\n --hash=sha256:59d55e634968b8f77d3fd674a3cf0b96e85147cd6556ec64ade018f27e9479e1 \\\r\n --hash=sha256:64f56fc53a2d18b1924abd15745e30d82a5782b2cab3429aceecc6875bd5add0 \\\r\n --hash=sha256:7228ad13744f63575b3a972d7ee4fd61815b2879998e70930d4ccf9ec721dce0 \\\r\n --hash=sha256:9ce7df0abeabe7fbd8ccbf343dc0db72f68549856b863ae3dd580255d009648e \\\r\n --hash=sha256:a911e317e8c826ea632205e63ed8507e0dc877dcdc49744584dfc363df9ca08c \\\r\n --hash=sha256:b89bf9b94b3d624e7bb480344e91f68c1c6c75f026ed6755955117de00917a7c \\\r\n --hash=sha256:ba9ead61dfb5d971d77b6c131a9dbee62294a932bf6a356e48c75ae684e635b3 \\\r\n --hash=sha256:c1d937820db6e43bec43e8d016b9b3165dcb42892ea9f106c70fb13d430ffe72 \\\r\n --hash=sha256:cc7f00008eb7d3f2489fca6f334ec19ca63e31371be28fd5dad955b16ec285bd \\\r\n --hash=sha256:d4c5d5eb2ec8da0b4f50c9a843393971f31f1d60be87e0fb0917a49133d257d6 \\\r\n --hash=sha256:e96d7f3096a36c8754207ab89d4b3282ba7b49ea140e4973591852c77d09eb76 \\\r\n --hash=sha256:f0725df166cf4785c0bc4cbfb320203182b1ecd30fee6e541c8752a92df6aa32 \\\r\n --hash=sha256:f3eb268dbd5cfaffd9448113539e44e2dd1c5ca9ce25576f7c04a5453edc26fa \\\r\n --hash=sha256:fb7a980c81dd932381f8228a426df8aeb70d59bbcda2af075b627bbc50207cba\r\n # via hnswlib\r\n```\r\n\r\n\r\n## 🔥 Exception or Error\r\n\r\n\r\nERROR: whl_library pip_hnswlib failed: Collecting hnswlib==0.7.0\r\n Using cached hnswlib-0.7.0.tar.gz (33 kB)\r\n Installing build dependencies: started\r\n Installing build dependencies: finished with status 'done'\r\n Getting requirements to build wheel: started\r\n Getting requirements to build wheel: finished with status 'done'\r\n Preparing metadata (pyproject.toml): started\r\n Preparing metadata (pyproject.toml): finished with status 'done'\r\nBuilding wheels for collected packages: hnswlib\r\n Building wheel for hnswlib (pyproject.toml): started\r\n Building wheel for hnswlib (pyproject.toml): finished with status 'error'\r\nFailed to build hnswlib\r\n ( error: subprocess-exited-with-error\r\n \r\n × Building wheel for hnswlib (pyproject.toml) did not run successfully.\r\n │ exit code: 1\r\n ╰─> [60 lines of output]\r\n running bdist_wheel\r\n running build\r\n running build_ext\r\n creating tmp\r\n clang -pthread -Wsign-compare -Wunreachable-code -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -I/tools/deps/include -I/tools/deps/include/ncursesw -I/tools/deps/libedit/include -g0 -isystem /home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/include/python3.11 -fPIC -I/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/include/python3.11 -c /tmp/tmpppym8vfq.cpp -o tmp/tmpppym8vfq.o -std=c++14\r\n clang -pthread -Wsign-compare -Wunreachable-code -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -I/tools/deps/include -I/tools/deps/include/ncursesw -I/tools/deps/libedit/include -g0 -isystem /home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/include/python3.11 -fPIC -I/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/include/python3.11 -c /tmp/tmpfsblc_fc.cpp -o tmp/tmpfsblc_fc.o -std=c++11\r\n Traceback (most recent call last):\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/pypi__pip/pip/_vendor/pep517/in_process/_in_process.py\", line 351, in \r\n main()\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/pypi__pip/pip/_vendor/pep517/in_process/_in_process.py\", line 333, in main\r\n json_out['return_val'] = hook(**hook_input['kwargs'])\r\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/pypi__pip/pip/_vendor/pep517/in_process/_in_process.py\", line 249, in build_wheel\r\n return _build_backend().build_wheel(wheel_directory, config_settings,\r\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/build_meta.py\", line 434, in build_wheel\r\n return self._build_with_temp_dir(\r\n ^^^^^^^^^^^^^^^^^^^^^^^^^^\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/build_meta.py\", line 419, in _build_with_temp_dir\r\n self.run_setup()\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/build_meta.py\", line 341, in run_setup\r\n exec(code, locals())\r\n File \"\", line 116, in \r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/__init__.py\", line 103, in setup\r\n return distutils.core.setup(**attrs)\r\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/core.py\", line 185, in setup\r\n return run_commands(dist)\r\n ^^^^^^^^^^^^^^^^^^\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/core.py\", line 201, in run_commands\r\n dist.run_commands()\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/dist.py\", line 969, in run_commands\r\n self.run_command(cmd)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/dist.py\", line 989, in run_command\r\n super().run_command(command)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/dist.py\", line 988, in run_command\r\n cmd_obj.run()\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/wheel/bdist_wheel.py\", line 364, in run\r\n self.run_command(\"build\")\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/cmd.py\", line 318, in run_command\r\n self.distribution.run_command(command)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/dist.py\", line 989, in run_command\r\n super().run_command(command)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/dist.py\", line 988, in run_command\r\n cmd_obj.run()\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/command/build.py\", line 131, in run\r\n self.run_command(cmd_name)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/cmd.py\", line 318, in run_command\r\n self.distribution.run_command(command)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/dist.py\", line 989, in run_command\r\n super().run_command(command)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/dist.py\", line 988, in run_command\r\n cmd_obj.run()\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/command/build_ext.py\", line 88, in run\r\n _build_ext.run(self)\r\n File \"/tmp/pip-build-env-cg4m06ds/overlay/lib/python3.11/site-packages/setuptools/_distutils/command/build_ext.py\", line 345, in run\r\n self.build_extensions()\r\n File \"\", line 103, in build_extensions\r\n File \"\", line 70, in cpp_flag\r\n RuntimeError: Unsupported compiler -- at least C++11 support is needed!\r\n [end of output]\r\n \r\n note: This error originates from a subprocess, and is likely not a problem with pip.\r\n ERROR: Failed building wheel for hnswlib\r\nERROR: Failed to build one or more wheels\r\nTraceback (most recent call last):\r\n File \"\", line 198, in _run_module_as_main\r\n File \"\", line 88, in _run_code\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/rules_python/python/pip_install/tools/wheel_installer/wheel_installer.py\", line 200, in \r\n main()\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/rules_python/python/pip_install/tools/wheel_installer/wheel_installer.py\", line 180, in main\r\n subprocess.run(pip_args, check=True, env=env)\r\n File \"/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/lib/python3.11/subprocess.py\", line 571, in run\r\n raise CalledProcessError(retcode, process.args,\r\nsubprocess.CalledProcessError: Command '['/home/willy/.cache/bazel/_bazel_willy/cc4b2e9ab7fab4dbf3df2c107e10b6db/external/python_toolchain_x86_64-unknown-linux-gnu/bin/python3', '-m', 'pip', '--isolated', 'wheel', '--no-deps', '-r', '/tmp/tmpp_pe0eg3']' returned non-zero exit status 1.\r\n) error code: '1'\r\nINFO: Elapsed time: 7.490s\r\nINFO: 0 processes.\r\nFAILED: Build did NOT complete successfully (0 packages loaded)\r\n\r\n
\r\n\r\n## 🌍 Your Environment\r\n\r\n**Operating System:**\r\n\r\n\r\n \r\n(dataworks) ➜ rules_python-pipcompile git:(master) uname -a\r\nLinux sg-dev-willy 5.15.0-83-generic #92~20.04.1-Ubuntu SMP Mon Aug 21 14:00:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux\r\n
\r\n
\r\n\r\n**Output of `bazel version`:**\r\n\r\n\r\n \r\n(dataworks) ➜ rules_python-pipcompile git:(master) bazel version\r\nBuild label: 6.3.2\r\nBuild target: bazel-out/k8-opt/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar\r\nBuild time: Tue Aug 8 15:48:33 2023 (1691509713)\r\nBuild timestamp: 1691509713\r\nBuild timestamp as int: 1691509713\r\n
\r\n
\r\n\r\n**Rules_python version:**\r\n\r\n\r\n \r\n0.25.0\r\n
\r\n
\r\n\r\n**Anything else relevant?**\r\n\r\nNothing else. Please do let me know if I can provide more information.","reactions":{"url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"timeline_url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463/timeline","performed_via_github_app":null,"state_reason":null},"comment":{"url":"https://api.github.com/repos/bazelbuild/rules_python/issues/comments/1945688512","html_url":"https://github.com/bazelbuild/rules_python/issues/1463#issuecomment-1945688512","issue_url":"https://api.github.com/repos/bazelbuild/rules_python/issues/1463","id":1945688512,"node_id":"IC_kwDOBhEMNM5z-NnA","user":{"login":"groodt","id":343415,"node_id":"MDQ6VXNlcjM0MzQxNQ==","avatar_url":"https://avatars.githubusercontent.com/u/343415?v=4","gravatar_id":"","url":"https://api.github.com/users/groodt","html_url":"https://github.com/groodt","followers_url":"https://api.github.com/users/groodt/followers","following_url":"https://api.github.com/users/groodt/following{/other_user}","gists_url":"https://api.github.com/users/groodt/gists{/gist_id}","starred_url":"https://api.github.com/users/groodt/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/groodt/subscriptions","organizations_url":"https://api.github.com/users/groodt/orgs","repos_url":"https://api.github.com/users/groodt/repos","events_url":"https://api.github.com/users/groodt/events{/privacy}","received_events_url":"https://api.github.com/users/groodt/received_events","type":"User","site_admin":false},"created_at":"2024-02-15T09:28:56Z","updated_at":"2024-02-15T09:28:56Z","author_association":"COLLABORATOR","body":"> 1. Is there a better way of managing the installation of packages that must be built using source packages?\r\n\r\nYou can consider pre-building wheels for your target platform(s) and hosting them on your own artifact repository such as Artifactory, AWS CodeArtifact, GCP Artifact Registry, [GCP Assured OSS Software](https://cloud.google.com/assured-open-source-software/docs/supported-packages), S3 bucket etc. Then \"pin\" or \"lock\" your dependencies against wheels in pip using `--index https://foo --only-binary=:all:`\r\n\r\n> 2\\. Is there another approach to preferring binary packages over source packages without CI grinding to a halt?\r\n\r\nLikely similar to above. Any resolution algorithm will try to backtrack to find wheels if none exist. This is likely slow unless you can short-circuit and give it some wheels to find using techniques as above.\r\n\r\nAn entirely different approach could be for you to consider using alternative rules such as rules_pycross, which aims to support building from `sdist` inside bazel actions using native toolchains. \r\n\r\nNone of this is an easy problem, because Python package management is essentially `eval setup.py` so there isn't a general solution. Only solutions that sometimes appear to work more than others.\r\n","reactions":{"url":"https://api.github.com/repos/bazelbuild/rules_python/issues/comments/1945688512/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}},"public":true,"created_at":"2024-02-15T09:28:58Z","org":{"id":11684617,"login":"bazelbuild","gravatar_id":"","url":"https://api.github.com/orgs/bazelbuild","avatar_url":"https://avatars.githubusercontent.com/u/11684617?"}}]