PEP 627: Updating PEP 376; making RECORD optional in installed .dist-info

Packaging
22

OK. My notes on the PEP and on the proposed wording of the packaging spec.

  1. You say you don’t want to get sucked into REQUESTED, and I agree. But the current wording feels like it implies more than you want to. I’d suggest adding a note at the top of the section on the REQUESTED file saying something like “Installers are not required to maintain REQUESTED, and so consumers must not assume that the lack of a REQUESTED file means anything in practice.” (Or you can take the same view as PEP 376, that tools will maintain this data - in which case you need to amend the comment that “Almost all information is optional” to reflect that REQUESTED data is not optional).
  2. I don’t see much discussion of the removal of the requirement for hashes/sizes to be present. I get your argument that no tools currently use that information, but once we remove the requirement for it, it’s going to be more or less impossible to re-introduce it. Which means future tools won’t be able to say things like “refusing to uninstall FOO as local changes have been made”. Is there any concrete reason for relaxing this requirement? (I don’t buy “simplifies the spec” and I don’t see the issue with expecting shebang rewriters to update the hash - RECORD explicitly doesn’t need a hash to make that process straightforward).
  3. I’d like to see an explicit statement that tools which rely on Python’s package database¹ MUST refuse to uninstall projects that have no RECORD. See point (5) below, as well. (Tools like system package managers that rely on other data can do what they want - there’s no particular need to make this point, though).
  4. If INSTALLER is intended for use in messages, the content should be usable in that context - so I’d suggest that the spec should say something like “the file must contain a single line containing the name of the installer - for example ‘pip’ or ‘conda’ or ‘Mega-Corp Super Installer’”.
  5. Question - if an installer omits RECORD, should it be required to write INSTALLER, so the user at least knows who to blame for the package that “normal” tools can’t uninstall? (That can be a future revision, I’m not going to block acceptance on it, but I think it’s a reasonable requirement).

Overall, though, this looks pretty good. No-one has raised any fundamental issues, so it looks like we have a reasonable consensus. If you can address the above points, I’m OK with accepting the PEP.

¹ A minor cosmetic problem with this rewrite is there’s no longer a good noun phrase for “the database of installed packages” :man_shrugging: