Sdist idea: require `pyproject.toml` and PEP 518/517

I think pip will support legacy sdists, at least for a (long) while. The difference this makes is that, combined with other ideas, pip would be able to infer useful information from a modern sdist without actually downloading, unpacking, and building the archive. pip currently needs to download, unpack, and run get_metadata_for_build_wheel() o get dependencies; the happy path can be drastically improved by downloading only {name}-{version}.sdist.pyproject.toml from the index (similar to pypa/warehouse#8254) and inspecting the static dependencies field in it. To achieve this, we need to:

  1. Have a way to mark a file as modern sdist in the file name, so an index knows when to expose metadata file (PEP 625)
  2. Guarentee what the modern sdist has (this proposal), and how to get it (sdist archive format as discussed in the PEP 625 thread; pyproject.toml would be in the archive root)
  3. Decide on how and where sdist can declare static metadata (Sdist idea: specifying static metadata that can be trusted and if we go with pyproject.toml)

pip would need to implement fallbacks in every step for legacy sdists, but alternative package managers can choose not to support some or all of the legacy stuff. This would provide one puzzle piece for the whole process.

1 Like