Draft PEP: Recording provenance of installed packages

Unless I’m missing it, the PEP 610 “specification” section doesn’t define what specifically should go into the URL, but given that it’s only relevant when installing a from a “direct URL” specifier, it clearly is the URL in that specifier. But for other cases, that doesn’t apply. Technically, ./app isn’t a direct URL specifier, it’s an implementation specific extension pip supplies.

So I think this PEP does need to explicitly specify.

An example section isn’t normative, though - implementations don’t have to follow them. As a procedural point, I wouldn’t particularly look at example sections when reviewing a PEP for completeness.

Yes. But it also means that consumers cannot assume the file is present. Hence my comment about SBOM use cases - I don’t know anything about the requirements there, but something that produces a SBOM report from this data has to be prepared to say something like “package XXX is installed but does not include data about where it came from”.

I understand why you’re doing it, I’m just saying that I don’t look at comments made on the PR, and if anyone wants their comments to be considered (by me, for the PEP review/approval, at least) they need to be made here, not there.

For those who follow the discussion - see PEP 710 - Recording the provenance of installed packages.

1 Like