ENH: add support for PEP 639 #681
Conversation
dnicolodi
force-pushed
the
pep639
branch
2 times, most recently
from
2deba65
to
d8d6030
Compare
dnicolodi
force-pushed
the
pep639
branch
17 times, most recently
from
4e73d80
to
6c49f01
Compare
| @@ -39,6 +39,14 @@ versions. | |||
| Meson 1.3.0 or later is required for compiling extension modules | |||
| targeting the Python limited API. | |||
|
|
|||
| .. option:: 1.6.0 | |||
|
|
|||
| Meson 1.6.0 or later is required to support ``license`` and | |||
There was a problem hiding this comment.
Do you have a link to a PR or something for the 1.6 change? curious as to what needed updates in meson, was expecting it to be just meson-python.
There was a problem hiding this comment.
Probably due to depending on mesonbuild/meson#13783
There was a problem hiding this comment.
Indeed, as @eli-schwartz says. Meson support is required only to get the license and license files declared in meson.build when they are declared dynamic or when there is no project section in pyproject.toml.
It is a bit uglier than what I would like because I wanted to keep compatibility with older pyproject-metadata. meson-python supports anything back to version 0.7.1. |
dnicolodi
force-pushed
the
pep639
branch
3 times, most recently
from
17ed963
to
044f487
Compare
|
I gave this a shot in matplotlib/matplotlib#28982, and |
|
I'm not very well versed in licensing issues, but I don't think the way PEP 639 supports declaring package licenses works well for this use case. The main problem is that it expects the license of the package's sdist and wheel to be exactly the same. For packages like matplotlib that link statically with some libraries, this is not the case: the license of the source code is the matplotlib license, the license of the wheel is the union of the matplotlib license with the license of all the libraries linked to it. Concretely, the issue is that in the most common case the subprojects directory does not contain the source code of the subprojects but only references to them (in the matplotlib case in the form of meson wrap files). However, the I don't know how the problem could be solved. The most formally right solution would to allow source and binary distributions to have different licenses. But this is a quite significant change in behavior for the package metadata system. The pragmatic solution is to add the subprojects' license files to the source distribution and accept that the sdist as a whole might have a more restrictive license than what it could have. |
This is not true. Metadata can be dynamic and vary between the sdist and the wheel. It's already dynamic as a result of being calculated from meson introspection, so you just need to mark that in the sdist as well. The decision to make sdist metadata static and forbidden to change is... definitely a decision of all time. But the good news is it comes with an escape hatch. This escape hatch is needed since the spec also says that it's illegal per the spec to apply open source patches to an sdist metadata if the fields are marked as static. 🤷 |
|
Can't this already be done using dynamic-metadata? The point of dynamic-metadata is to allow the wheels to have different metadata than the source distribution. And the new entries are valid listed in dynamic-metadata. It might not be shown effectively by PyPI, etc, but it should at least work. And METADATA 2.4 > 2.2, so it's always available to use. |
|
Are you just making sure the license is already normalized, I guess? Without a packaging release, we don't have license-expression normalization yet. The PR is merged but there hasn't been a release yet. |
Perhaps yes, although it's quite hard to come up with a reasonable way of using that, since meson-python cannot know whether or not The better way would be to actually make it a first class use case with something like: [project]
license = "MIT"
[pypi-wheels]
# platform specifiers need some more thought - maybe reuse the cibuildwheel syntax?
license = {
win32 = "MIT AND Other",
linux = "MIT AND LGPL-2.1-and-later",
}
# Add `license-files` in a similar wayThis could perhaps be done in a tool-specific way first, with What we do right now in NumPy is quite a bit more hacky: |
Both of these reasons are invalid.
Also none of this matters if you expect people to use wheels Also also none of this matters if you expect people to use PyPI-based sdists, since you can emplace the license metadata into the sdist and mark it as "dynamic" at the same time -- it is trivially parseable and simply isn't accurate for anything beyond the sdist itself due to the fact that the sdist can be configured and built and download new (checksummed) dependencies over the internet and change its effective license in, depending on the project, maybe even dozens of different configurations that are only machine-knowable by asking the resulting configured build to announce itself via introspection. |
Not quite, my problem is the opposite. I want metadata in Maybe I misunderstood what @henryiii meant by "dynamic-metadata". If it's not |
|
If you just want people to use pyproject.toml and nothing other than pyproject.toml then what is the purpose of PKG-INFO in a sdist? That file contains possibly still-dynamic versions of the metadata that was discovered during sdist building -- it is machine readable and there's no real reason not to use it as a statically deducible alternative to And for licenses, it's quite reasonable to say that a dynamic license in pyproject.toml which is also dynamic in PKG-INFO, is intended to be varying across sdists versus wheels. |
|
Ok so maybe what you want in order to analyze a repo for license information is actually https://www.fossology.org/ ? |
|
Anyway I think people should have the right to use dynamic metadata if they want to, and use pyproject.toml metadata if they want to. With that in mind, the ability to have different metadata for sdist vs. wheel by making use of "Dynamic" entries in current versions of the Core Metadata, is a powerful escape hatch for those who choose to do so. |
+1 completely agreed. My only point is that as a Python package author I don't wanted to be forced to use dynamic metadata via
For build backend authors/features, sure. Not directly relevant to package authors though - Core Metadata is a thing between packaging tools and index servers, not something one can directly access or really ever thinks about at all as a package author. Hence my proposal for a UX that package authors can use to put in their statically known sdist and PyPI wheels metadata, which the build backend can then translate to a Dynamic entry in Core Metadata. |
|
FYI, having something listed in the project table and also dynamic allowing the metadata to be added to is still something I want to write a PEP for. |
dnicolodi
force-pushed
the
pep639
branch
2 times, most recently
from
28ca051
to
752a44e
Compare
I added a commit on top that bumps the required pyproject-metadata to 0.9.0. @rgommers Is there anything else to be done before we can merge this? I have no idea of what the timeline to get support for PEP 639 in PyPI is and I don't know if waiting to land this till that is available is a good idea or not. |
It's looking pretty good, but let me try to do a slightly more careful line-by-line review - so far I just quickly browsed the diff and tested with PyWavelets.
That's a good point. pypi/warehouse#16949 is moving fairly quickly it looks like, but it may be wise to ensure that this PR lines up with what lands in PyPI somehow before merging it. Not 100% sure about that, but without that it seems to me that there's a risk of some users trying out the new feature and ending up with wheels with license-related issues or that cannot be uploaded. |
|
Something I noticed that is correct but mildly surprised me is that the Not a problem, and matches the PEP (as usual the PEP is short of examples though, so one needs to read carefully), so just noting here as "indeed looks as it should". I noticed that |
There was a problem hiding this comment.
I now went over this more carefully, and it all LGTM.
The one thing that came to mind was that including Apache/LGPL license files is probably going to trigger some license scanner tooling and give some distro maintainers work to silence the false positives, but not much that can be done about that.
Ready to merge I think - but I'd hold off until packaging and PyPI have support.
There is no technical reason why these files need to be named like that or include the actual licenses text. I just copied them over from the source code of a package I had at hand. They can be replaced with placeholders. |
Perhaps worth doing? Using |
|
packaging 24.2 is out! (Also, noticed there's no quick and easy link to the source from readthedocs - see https://github.com/scientific-python/repo-review/blob/7fe5485a8ef2aaba8539a18a49a186380e9b39f9/docs/conf.py#L45-L61 which I think I stole from something like pip or maybe furo's own docs) |
I'm not sure about what you mean with this. meson-python documentation is not on readthedocs and we have a "Source Code" link in the left sidebar (and typing this made me realize that the capitalization of the title of the link is inconsistent with the other titles). |
Thanks. I'll add tests making sure the validation of the license field works as expected. |
|
By readthedocs I meant https://mesonbuild.com/meson-python/. Okay, I was looking for a GitHub icon on the bottom or top or similar, but that's not bad. |
Having PEP 639 metadata supported or not based on the version of a transitive dependency would not make for a great user experience. Supporting PEP 639 metadata requires pyproject-metadata 0.9.0.
Closes gh-270