Support PEP 658 / PEP 714 about devpi HOT 8 OPEN

I guess this is all contained in the metadata of releases? If so this should be relatively straight forward, as we have all that in the database per version of a package. If it is per released file and we would have to inspect the wheels, then it would be much more effort.

from devpi.

You can try devpi getjson https://.../user/index/project/version to see what we have in the database.

from devpi.

To sum up the specs, the core thing is:

1. extracting the wheel's <package>-<version>.dist-info/METADATA file (sdists are technically also included in the spec, but not even supported by PyPI)
2. computing its sha256 checksum in the hex form
3. putting the file at the same path as the <package-dist-name>.whl as <package-dist-name>.whl.metadata
4. exposing its existence in the package listing with various names (lol, but yes) per the appropriate PEP, always containing the hash in some form or the other 😆:
   • PEP 503 (simple HTTP API) - as an HTML attribute of the <a> tag holding the .whl download link:
     • PEP 714: data-core-metadata="sha256=aea654168069f40d75ac2e4291a8267c720ebc1dcc6038259469290a67e8be14"
     • PEP 658: data-dist-info-metadata="sha256=aea654168069f40d75ac2e4291a8267c720ebc1dcc6038259469290a67e8be14"
   • PEP 691 (JSON-based Simple API)
     • PEP 714:

       "core-metadata": {
         "sha256": "aea654168069f40d75ac2e4291a8267c720ebc1dcc6038259469290a67e8be14"
       }

     • PEP 658 (err, no, this key crashes old pips):

       "dist-info-metadata": {
         "sha256": "aea654168069f40d75ac2e4291a8267c720ebc1dcc6038259469290a67e8be14"
       }

     • PyPI currently exposes also the HTML's data-dist-info-metadata in JSON, but that's likely for further compatibility with confused clients 🥲 You can have a look with:

       curl -L -H 'Accept: application/vnd.pypi.simple.v1+json' https://pypi.org/simple/devpi-server/

   The sole existence of the attribute (whichever that is) implies the client can slap .metadata to the .whl's URL and find the file there. If the attribute is missing, the client is supposed not to be looking for it.

⚠️ PyPI have been adopting this only for newly submitted packages, as otherwise they'd have to unpack all the files and rebuild the lists, which is pretty understandable they hesitate doing. I suppose this might be doable in the same fashion.

from devpi.

It looks like some of that data is contained within the database, but I don't think it would make sense trying to recreate the .metadata file with the data from there (also I don't think it has it all). I'd expect the right way of doing this is at the moment the package gets published to devpi (and is obviously already being parsed for (some of) its metadata).

from devpi.