Does the Simple repository API version 1.3 exist?

brettcannon · February 4, 2025, 1:08am

PEP 740 – Index support for digital attestations | peps.python.org said there should be a version 1.3 (presumably because PEP 708 – Extending the Repository API to Mitigate Dependency Confusion Attacks | peps.python.org is supposed to be 1.2), but Simple repository API - Python Packaging User Guide doesn’t mention any version beyond 1.1 and lists the provenance key like it’s a part of API 1.1. Is this intentional and we are dropping versioning additions, or was this an oversight?

/cc @woodruffw , @dustin

notatallshaw · February 4, 2025, 1:28am

I’m guessing the issue is that PEP 708 never left Provisional status and therefore could still be rejected or withdrawn, leaving the version numbers out of order from their chronological Final status.

I would suggest it makes sense to update PEP 708 to specify version 1.4, now PEP 740 is final.

woodruffw · February 4, 2025, 8:31am

That was an oversight, at least for my part — I added the other PEP 740 changes to the spec but it looks like I forgot to bump the versions throughout. I can send a PR today fixing that!

dustin · February 4, 2025, 2:54pm

Note that PyPI correctly declares version 1.3, so it’s just the docs that are out of sync:

$ curl -s https://pypi.org/simple/sampleproject/ | grep repository-version
    <meta name="pypi:repository-version" content="1.3">

woodruffw · February 4, 2025, 8:21pm

simple-repository-api: bump, explain api-version by woodruffw · Pull Request #1803 · pypa/packaging.python.org · GitHub should address the docs deficiencies!

brettcannon · February 4, 2025, 8:25pm

I think that depends on whether PyPI is already serving the data, in which case it wouldn’t make sense to skip over 1.2.