Skip to content

PEP 694: Address additional feedback #4549

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

PEP 694: Address additional feedback #4549

wants to merge 18 commits into from
+314 −252

Conversation

warsaw
Copy link
Member

@warsaw warsaw commented Aug 16, 2025
edited
Loading

  • Remove the nonce and gentoken() algorithm. Indexes are now responsible for generating
    an cryptographically secure session token and obfuscated stage URL (but only if they support
    staged previews).
  • Clarify the semantics when multiple session creation requests are received.
  • Clarify publishing session steps such as status polling and session extension.
  • Require that name conform to the normalization rules, and include a link.
  • Require that version conform to the version specs, and include a link.
  • Require filename to conform to either the source or binary distribution file name convention, and include links.
  • Reference RFC 3399 instead of ISO 8601 as the timestamp spec. The RFC is a simpler format that
    subsets the ISO standard, and is more appropriate to our use case.
  • Other protocol clarifications.
  • Add optional index-specific metadata keys.

📚 Documentation preview 📚: https://pep-previews--4549.org.readthedocs.build/

@warsaw
Begin to address William's feedback.
432727f 
* Require that `name` conform to the normalization rules, and include a link
* Require that `version` conform to the version specs, and include a link
* RFC 3399 instead of ISO 8601 as the timestamp spec.  The RFC is a simpler format that subsets the
  ISO standard, and is more appropriate to our use case.
* Adjust the gentoken() algorithm to be more resistant to tomfoolery.  This may still change.
* Require `filename` to conform to either the source or binary distribution file name convention,
  and include links
@warsaw warsaw self-assigned this Aug 16, 2025
warsaw added 9 commits August 15, 2025 17:00
@warsaw
Merge branch 'main' into 694-woodruff-dpo
5c16ed2
@warsaw
Further updates based on DPO thread
bcc345b 
* The addition of the ``Location`` header is now a **MUST**, and better worded to indicate that it
  can be polled in the case of a ``202 Accepted``.
* Added a couple of **FIXME** tags to address removal of nonce and fleshing out the ``Errors``
  section.  See URLs in the text.  DO NOT PROMOTE FROM DRAFT UNTIL THIS IS DONE.
* Reformatted some text.
@warsaw
Fix markup
9c23652
@warsaw
Remove all mention of the nonce
d69686e 
Based on discussions here:
https://discuss.python.org/t/pep-694-pypi-upload-api-2-0-round-2/101483/22 clients no longer supply
a nonce to influence the session token and stage URL.  The calculation of these is left to the
index, but language is added that if provided, they must be cryptographically unguessable, and it
must be possible to calculate the stage URL from the session token.
@warsaw
Move some text around so it flows better
440a2a5
@warsaw
Capitalization consistency
cb99f7e
@warsaw
Update the file upload session section
53b1fbd
@warsaw
capitalization
532aa49
@warsaw
Resolve some FIXMEs
bdbc533
@warsaw warsaw marked this pull request as ready for review August 23, 2025 01:32
@warsaw warsaw requested a review from dstufft as a code owner August 23, 2025 01:32
@warsaw warsaw requested a review from ewdurbin August 23, 2025 01:32
@warsaw
Copy link
Member Author

warsaw commented Aug 23, 2025

I think this branch is ready for review, based on feedback from the DPO thread.

mgorny
mgorny reviewed Sep 9, 2025
View reviewed changes
@warsaw
Merge branch 'main' into 694-woodruff-dpo
2eb0c14
@warsaw
Clarifications based on comments from @mgorny
13e24e4 
* When an attempt is made to create a second session with the same name-version pair, but the first session is
  in `pending`, `processing`, or `complete` state, the second session is *not* created and a 409 is returned.
* There's nothing special about `0.0.0` as a placeholder version, and it really should be `0.0.0a0`.
@warsaw
add a TBD
98d5e07
@warsaw
Define index-specific-metadata
cfdf937
@warsaw
Add Change History section
ce80322
@warsaw
Add a change history section
d80ca6a
@warsaw
Merge branch 'main' into 694-woodruff-dpo
d2d024b
@warsaw
Copy link
Member Author

warsaw commented Sep 23, 2025

@dstufft @ewdurbin @mgorny I believe this is ready for final review. Once it's merged, I'll start a Round 3 DPO thread and update Post-History. Thanks for all the great feedback.

@warsaw warsaw requested a review from mgorny September 23, 2025 22:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dstufft dstufft Awaiting requested review from dstufft dstufft is a code owner

@ewdurbin ewdurbin Awaiting requested review from ewdurbin

@mgorny mgorny Awaiting requested review from mgorny

Assignees

@warsaw warsaw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@warsaw @mgorny