Reject bdist uploads containing inconsistent metadata

[pradyunsg]

What's the problem this feature will solve?
See https://pypi.org/project/triton/0.4.0/#files, which has 0.4.1 wheel names but (as the URL indicates), the wheels are actually for a 0.4.0 version.

This happened due to an incorrectly manipulated package by the author of the package (see triton-lang/triton#122) which resulted in an inconsistent version number being presented between the simple index and the project page.

Describe the solution you'd like

Such uploads should be blocked.

Additional context

None? I tried to look for duplicates and couldn't find any. Apologies if I missed something relevant!

[woodruffw]

Thanks for filing! Doing a bit of triage:

It's odd that PyPI accepted this at all, since the upload endpoint does check for consistency between the version in the wheel name and in the metadata:

warehouse/warehouse/forklift/legacy.py

Lines 1026 to 1031 in 7c93a28

	if meta.version != version:
	raise _exc_with_message(
	HTTPBadRequest,
	f"Version in filename should be {str(meta.version)!r} not "
	f"{str(version)!r}.",
	)

[woodruffw]

Oh hmm, triton==0.4.0 was uploaded in May 2021, and that check was added just a few weeks ago with #15795, fixing #15749.

So I think this is already fixed 🙂

[di]

Yeah, this is fixed.