python-peps / pep-0301.txt

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
PEP: 301
Title: Package Index and Metadata for Distutils
Version: $Revision$
Last-Modified: $Date$
Author: Richard Jones <richard@python.org>
Status: Final
Type: Standards Track
Content-Type: text/x-rst
Created: 24-Oct-2002
Python-Version: 2.3
Post-History: 8-Nov-2002


Abstract
========

This PEP proposes several extensions to the Distutils packaging system
[1]_.  These enhancements include a central package index server,
tools for submitting package information to the index and extensions
to the package metadata to include Trove [2]_ information.

This PEP does not address issues of package dependency.  It also does
not address storage and download of packages as described in PEP 243
[6]_.  Nor is it proposing a local database of packages as described
in PEP 262 [7]_.

Existing package repositories such as the Vaults of Parnassus [3]_,
CPAN [4]_ and PAUSE [5]_ will be investigated as prior art in this
field.


Rationale
=========

Python programmers have long needed a simple method of discovering
existing modules and systems available for their use.  It is arguable
that the existence of these systems for other languages have been a
significant contribution to their popularity.  The existence of the
Catalog-SIG, and the many discussions there indicate that there is a
large population of users who recognise this need.

The introduction of the Distutils packaging system to Python
simplified the process of distributing shareable code, and included
mechanisms for the capture of package metadata, but did little with
the metadata save ship it with the package.

An interface to the index should be hosted in the python.org domain,
giving it an air of legitimacy that existing catalog efforts do not
have.

The interface for submitting information to the catalog should be as
simple as possible - hopefully just a one-line command for most users.

Issues of package dependency are not addressed due to the complexity
of such a system.  PEP 262 proposes such a system, but as of this
writing the PEP is still unfinished.

Issues of package dissemination (storage on a central server) are
not addressed because they require assumptions about availability of
storage and bandwidth that I am not in a position to make.  PEP 243,
which is still being developed, is tackling these issues and many
more.  This proposal is considered compatible with, and adjunct to
the proposal in PEP 243.


Specification
=============

The specification takes three parts, the `web interface`_,  the
`Distutils register command`_ and the `Distutils Trove
classification`_.


Web Interface
-------------

A web interface is implemented over a simple store.  The interface is
available through the python.org domain, either directly or as
packages.python.org.

The store has columns for all metadata fields.  The (name, version)
double is used as a uniqueness key.  Additional submissions for an
existing (name, version) will result in an *update* operation.

The web interface implements the following commands/interfaces:

**index**
  Lists known packages, optionally filtered.  An additional HTML page,
  **search**, presents a form to the user which is used to customise
  the index view.  The index will include a browsing interface like
  that presented in the Trove interface design section 4.3.  The
  results will be paginated, sorted alphabetically and only showing
  the most recent version.  The most recent version information will
  be determined using the Distutils LooseVersion class.

**display**
  Displays information about the package.  All fields are displayed as
  plain text.  The "url" (or "home_page") field is hyperlinked.

**submit**
  Accepts a POST submission of metadata about a package.  The
  "name" and "version" fields are mandatory, as they uniquely identify
  an entry in the index.  **Submit** will automatically determine
  whether to create a new entry or update an existing entry.  The
  metadata is checked for correctness where appropriate - specifically
  the Trove discriminators are compared with the allowed set.  An
  update will update all information about the package based on the
  new submitted information.

  There will also be a submit/edit form that will allow manual
  submission and updating for those who do not use Distutils.

**submit_pkg_info**
  Accepts a POST submission of a PKG-INFO file and performs the same
  function as the **submit** interface.

**user**
  Registers a new user with the index.  Requires username, password
  and email address.  Passwords will be stored in the index database
  as SHA hashes.  If the username already exists in the database:

  1. If valid HTTP Basic authentication is provided, the password and
     email address are updated with the submission information, or
  2. If no valid authentication is provided, the user is informed that
     the login is already taken.

  Registration will be a three-step process, involving:

  1. User submission of details via the Distutils *register* command
     or through the web,
  2. Index server sending email to the user's email address with a URL
     to visit to confirm registration with a random one-time key, and
  3. User visits URL with the key and confirms registration.

**roles**
  An interface for changing user Role assignments.

**password_reset**
  Using a supplied email address as the key, this resets a user's
  password and sends an email with the new password to the user.

The **submit** command will require HTTP Basic authentication,
preferably over an HTTPS connection.

The server interface will indicate success or failure of the commands
through a subset of the standard HTTP response codes:

===== ============== ================================================
Code  Meaning        Register command implications
===== ============== ================================================
200   OK             Everything worked just fine
400   Bad request    Data provided for submission was malformed
401   Unauthorised   The username or password supplied were incorrect
403   Forbidden      User does not have permission to update the
                     package information (not Owner or Maintainer)
===== ============== ================================================

User Roles
----------

Three user Roles will be assignable to users:

Owner
  Owns a package name, may assign Maintainer Role for that name.  The
  first user to register information about a package is deemed Owner
  of the package name.  The Admin user may change this if necessary.
  May submit updates for the package name.

Maintainer
  Can submit and update info for a particular package name.

Admin
  Can assign Owner Role and edit user details. Not specific to a
  package name.


Index Storage (Schema)
----------------------

The index is stored in a set of relational database tables:

**packages**
  Lists package names and holds package-level metadata (currently
  just the stable release version)

**releases**
  Each package has an entry in **releases** for each version of the
  package that is released. A row holds the bulk of the information
  given in the package's PKG-INFO file. There is one row for each
  package (*name*, *version*).

**trove_discriminators**
  Lists the Trove discriminator text and assigns each one a unique
  ID.

**release_discriminators**
  Each entry maps a package (*name*, *version*) to a
  *discriminator_id*.  We map to releases instead of packages because
  the set of discriminators may change between releases.

**journals**
  Holds information about changes to package information in the
  index. Changes to the **packages**, **releases**, **roles**,
  and **release_discriminators** tables are listed here by
  package *name* and *version* if the change is release-specific.

**users**
  Holds our user database - user name, email address and password.

**roles**
  Maps *user_name* and *role_name* to a *package_name*.

An additional table, **rego_otk** holds the One Time Keys generated
during registration and is not interesting in the scope of the index
itself.


Distutils *register* Command
----------------------------

An additional Distutils command, ``register``, is implemented which
posts the package metadata to the central index.  The *register*
command automatically handles user registration; the user is presented
with three options:

1. login and submit package information
2. register as a new packager
3. send password reminder email

On systems where the ``$HOME`` environment variable is set, the user
will be prompted at exit to save their username/password to a file
in their ``$HOME`` directory in the file ``.pypirc``.

Notification of changes to a package entry will be sent to all users
who have submitted information about the package.  That is, the
original submitter and any subsequent updaters.

The *register* command will include a ``--verify`` option which
performs a test submission to the index without actually committing
the data.  The index will perform its submission verification checks
as usual and report any errors it would have reported during a normal
submission.  This is useful for verifying correctness of Trove
discriminators.


Distutils Trove Classification
------------------------------

The Trove concept of *discrimination* will be added to the metadata
set available to package authors through the new attribute
"classifiers".  The list of classifiers will be available through the
web, and added to the package like so::

    setup(
        name = "roundup", 
        version = __version__,
        classifiers = [
            'Development Status :: 4 - Beta',
            'Environment :: Console',
            'Environment :: Web Environment',
            'Intended Audience :: End Users/Desktop',
            'Intended Audience :: Developers',
            'Intended Audience :: System Administrators',
            'License :: OSI Approved :: Python Software Foundation License',
            'Operating System :: MacOS :: MacOS X',
            'Operating System :: Microsoft :: Windows',
            'Operating System :: POSIX',
            'Programming Language :: Python',
            'Topic :: Communications :: Email',
            'Topic :: Office/Business',
            'Topic :: Software Development :: Bug Tracking',
        ],
        url = 'http://sourceforge.net/projects/roundup/',
        ...
    )

It was decided that strings would be used for the classification
entries due to the deep nesting that would be involved in a more
formal Python structure.

The original Trove specification that classification namespaces be
separated by slashes ("/") unfortunately collides with many of the
names having slashes in them (e.g. "OS/2").  The double-colon solution
(" :: ") implemented by SourceForge and FreshMeat gets around this
limitation.

The list of classification values on the module index has been merged
from FreshMeat and SourceForge (with their permission).  This list
will be made available both through the web interface and through the
*register* command's ``--list-classifiers`` option as a text list
which may then be copied to the ``setup.py`` file.  The *register*
command's ``--verify`` option will check classifiers values against
the server's list.

Unfortunately, the addition of the "classifiers" property is not
backwards-compatible.  A setup.py file using it will not work under
Python 2.1.3.  It is hoped that a bug-fix release of Python 2.2 (most
likely 2.2.3) will relax the argument checking of the setup() command
to allow new keywords, even if they're not actually used.  It is
preferable that a warning be produced, rather than a show-stopping
error. The use of the new keyword should be discouraged in situations
where the package is advertised as being compatible with python
versions earlier than 2.2.3 or 2.3.

In the PKG-INFO, the classifiers list items will appear as individual
``Classifier:`` entries::

        Name: roundup 
        Version: 0.5.2
        Classifier: Development Status :: 4 - Beta
        Classifier: Environment :: Console (Text Based)
                    .
                    .
        Classifier: Topic :: Software Development :: Bug Tracking
        Url: http://sourceforge.net/projects/roundup/


Implementation
==============

The server is available at:

  http://www.python.org/pypi

The code is available from the SourceForge project:

  http://sourceforge.net/projects/pypi/

The *register* command has been integrated into Python 2.3.


Rejected Proposals
==================

Originally, the index server was to return custom headers (inspired by
PEP 243):

**X-Pypi-Status**
  Either "success" or "fail".

**X-Pypi-Reason**
  A description of the reason for failure, or additional information
  in the case of a success.

However, it has been pointed out [8]_ that this is a bad scheme to
use.


References
==========

.. [1] Distutils packaging system
   (http://docs.python.org/library/distutils.html)

.. [2] Trove
   (http://www.catb.org/~esr/trove/)

.. [3] Vaults of Parnassus
   (http://www.vex.net/parnassus/)

.. [4] CPAN
   (http://www.cpan.org/)

.. [5] PAUSE
   (http://pause.cpan.org/)

.. [6] PEP 243, Module Repository Upload Mechanism
   (http://www.python.org/dev/peps/pep-0243/)

.. [7] PEP 262, A Database of Installed Python Packages
   (http://www.python.org/dev/peps/pep-0262/)

.. [8] [PEP243] upload status is bogus
   (http://mail.python.org/pipermail/distutils-sig/2001-March/002262.html)


Copyright
=========

This document has been placed in the public domain.


Acknowledgements
================

Anthony Baxter, Martin v. Loewis and David Goodger for encouragement
and feedback during initial drafting.

A.M. Kuchling for support including hosting the second prototype.

Greg Stein for recommending that the register command interpret the
HTTP response codes rather than custom X-PyPI-* headers.

The many participants of the Distutils and Catalog SIGs for their
ideas over the years.


..
   Local Variables:
   mode: indented-text
   indent-tabs-mode: nil
   sentence-end-double-space: t
   fill-column: 70
   End:
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.