Skip to content

Commit c09a325

Browse files
fridexfridex
authored
PEP 710: Remove index_url and state why it was removed (#3878)
Signed-off-by: Fridolin Pokorny <[email protected]>
1 parent 0acda96 commit c09a325

File tree

1 file changed

+16
-12
lines changed

1 file changed

+16
-12
lines changed

peps/pep-0710.rst

Lines changed: 16 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -118,9 +118,9 @@ may be present in a given ``.dist-info`` directory; installers MUST NOT add both
118118
The ``provenance_url.json`` JSON file MUST be a dictionary, compliant with
119119
:rfc:`8259` and UTF-8 encoded.
120120

121-
If present, it MUST contain exactly three keys. The first MUST be ``url``, with
121+
If present, it MUST contain exactly two keys. The first MUST be ``url``, with
122122
type ``string``. The second key MUST be ``archive_info`` with a value defined
123-
below. The third key MUST be ``index_url`` with type ``string``.
123+
below.
124124

125125
The value of the ``url`` key MUST be the URL from which the distribution package was downloaded. If a wheel is
126126
built from a source distribution, the ``url`` value MUST be the URL from which
@@ -140,11 +140,6 @@ Additionally, the user:password section of the URL MAY be a well-known,
140140
non-security sensitive string. A typical example is ``git`` in the case of an
141141
URL such as ``ssh://[email protected]``.
142142

143-
The value of the ``index_url`` key MUST be a base URL of a :term:`Package Index`
144-
used to download the given distribution package, such as
145-
``https://pypi.org/simple/``. The recorded URL SHOULD point to a repository
146-
compliant with :pep:`503`.
147-
148143
The value of ``archive_info`` MUST be a dictionary with a single key
149144
``hashes``. The value of ``hashes`` is a dictionary mapping hash function
150145
names to a hex-encoded digest of the file referenced by the ``url`` value. At
@@ -269,7 +264,6 @@ A valid ``provenance_url.json`` list multiple hashes:
269264
"sha512": "6bad5536c30a0b2d5905318a1592948929fbac9baf3bcf2e7faeaf90f445f82bc2b656d0a89070d8a6a9395761f4793c83187bd640c64b2656a112b5be41f73d"
270265
}
271266
},
272-
"index_url": "https://pypi.org/simple/",
273267
"url": "https://files.pythonhosted.org/packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl"
274268
}
275269
@@ -283,7 +277,6 @@ A valid ``provenance_url.json`` listing a single hash entry:
283277
"sha256": "236bcb61156d76c4b8a05821b988c7b8c35bf0da28a4b614e8d6ab5212c25c6f"
284278
}
285279
},
286-
"index_url": "https://pypi.org/simple/",
287280
"url": "https://files.pythonhosted.org/packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl"
288281
}
289282
@@ -298,7 +291,6 @@ build and install a wheel:
298291
"sha256": "8bfe29f17c10e2f2e619de8033a07a224058d96b3bfe2ed61777596f7ffd7fa9"
299292
}
300293
},
301-
"index_url": "https://pypi.org/simple/",
302294
"url": "https://files.pythonhosted.org/packages/1d/43/ad8ae671de795ec2eafd86515ef9842ab68455009d864c058d0c3dcf680d/micropipenv-0.0.1.tar.gz"
303295
}
304296
@@ -321,7 +313,6 @@ values in sync.
321313
"sha256": "236bcb61156d76c4b8a05821b988c7b8c35bf0da28a4b614e8d6ab5212c25c6f"
322314
}
323315
},
324-
"index_url": "https://pypi.org/simple/",
325316
"url": "https://files.pythonhosted.org/packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl"
326317
}
327318
@@ -337,7 +328,6 @@ in the Python docs under :attr:`py3.11:hashlib.hash.name`.
337328
"SHA-256": "236bcb61156d76c4b8a05821b988c7b8c35bf0da28a4b614e8d6ab5212c25c6f"
338329
}
339330
},
340-
"index_url": "https://pypi.org/simple/",
341331
"url": "https://files.pythonhosted.org/packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl"
342332
}
343333
@@ -466,6 +456,17 @@ in the ``provenance_url.json`` file if that file is created; per this PEP:
466456
By doing so, consumers of ``provenance_url.json`` can check
467457
artifact digests when the ``provenance_url.json`` file is created by installers.
468458

459+
Storing index URL
460+
-----------------
461+
462+
A possibility was raised for storing the index URL as part of the file content.
463+
This index URL would represent the index configured in pip's configuration or
464+
specified using the ``--index-url`` or ``--extra-index-url`` options. Storing
465+
this information was considered confusing, especially when using other
466+
installation options like ``--find-links``. Since the actual index URL is not
467+
strictly bound to the location from which the wheel file was downloaded, we
468+
decided not to store the index URL in the ``provenance_url.json`` file.
469+
469470
Open Issues
470471
===========
471472

@@ -653,6 +654,9 @@ the proposed pip-sbom prototype.
653654

654655
Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.
655656

657+
Thanks to Frost Ming for raising possible concern around storing index URL in
658+
the ``provenance_url.json`` file.
659+
656660
Last, but not least, thanks to Donald Stufft for sponsoring this PEP.
657661

658662
Copyright

0 commit comments

Comments
 (0)