Sorry, I have had less time for packaging things than ever lately so I haven’t caught up with the rest of the thread, but I just wanted to chime in and say that I did not realize that we were targeting a situation where the files weren’t local on disk for these sorts of “it makes it easier to do dependency resolution without opening up the file” improvements. This is very helpful information, and I agree it is very costly to require downloading the file.
In this case, I think a decent middle-ground would be something like this proposed approach, where metadata is exposed as attributes via the API. For “local-folder-as-index” situations, you can introspect the sdist
to see if it’s reliable and PyPI can introspect the sdist
on upload to determine whether the name is “trustable” (or even to expose the name and versions).
I suspect many PyPI mirrors would not immediately update to expose this information (since many of them only added Python-Requires
support years later, if at all), but I think “this breaks when your file version has dashes in it and you are using an index with an out of date standard” would probably be no worse than the current status quo, and the common case would be a significant improvement and end users would start seeing benefits even with no action taken by library maintainers other than updating their version of their build tools. Of course, that would require a coordinated effort between backend, frontend and PyPI maintainers, but as I’ve said here and elsewhere, I think we’re the people who get the most benefit out of this improvement, and that’s much easier than an ecosystem-wide change.