-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
env: validate PEP 508 specifiers before passing them as arguments to pip #665
Conversation
Per the specification for pyproject.toml build-system.requires, these MUST be valid PEP 508 strings, and when checking to see if they are satisfied during --no-isolation builds, they will be parsed using `packaging.requirements` which checks this for free as a side effect of converting each string into a good format for checking against importlib.metadata dists. But when building by default, they are just pip installed and pip supports many things that aren't just PEP 508 strings. Fix this by first parsing them with `packaging.requirements` just to get the error message.
c777204
to
e73f5ca
Compare
What should the preferred UX of this be? Previously, this emitted:
with a preceding traceback and a pip error:
With my change, it errors out with a packaging.requirements.Requirement exception and logs:
or
The tests are doing some finicky position-based output matching, trying to figure out what it even expects... |
The position based matching is annoying, you can just update it to whatever the new line numbers in the source are.
Will this break any current workarounds? (I'm thinking of #651, which apparently doesn't work now, but just wondering if there's anything like that to worry about). If so, maybe a warning first then an error later would be better? (Even though we say non-PEP 508 strings are unsupported, someone might not know what they are doing is unsupported, so a phase out period is friendlier in that case). But if not, then no need.
The above seems fine to me? Though maybe printing out where this occurs ( |
From the linked issue:
So this is expanding the "with I think this is fine, but what about only running this if |
|
I think this should already be the case -- what I modified here was the case of "no -n". I'm indifferent to what happens when -x is passed, , what I want to prevent is the case where an invalid PEP 508 string is successfully installed by treating it as a filepath relative to pyproject.toml. I could probably clarify that in the commit message... |
IMO, long term, validating requirement strings is probably fine, but I'm thinking backward compatible, if someone today puts "subdirectory/project" as a requirement string, they can build their project out of the box today, as long as they don't pass So the suggestion is:
|
Seems it stalled, @eli-schwartz let me know if you want to pick it up again and we can reopen. |
Per the specification for pyproject.toml build-system.requires, these MUST be valid PEP 508 strings, and when checking to see if they are satisfied during --no-isolation builds, they will be parsed using
packaging.requirements
which checks this for free as a side effect of converting each string into a good format for checking against importlib.metadata dists.But when building by default, they are just pip installed and pip supports many things that aren't just PEP 508 strings. Fix this by first parsing them with
packaging.requirements
just to get the error message.