A problem I've come across many times now is that a package will drop support for an old version and they'll even add a python_requires directive to their setup.py, only to cut a release using an old version of setuptools that doesn't actually understand the python_requires directive and thus silently fails. See, e.g. sphinx. This causes a bunch of problems because the erroneously uploaded packages now pollute pip installs of that package unless they are removed from PyPI or a post release is made.
Since there is no good reason to upload a package without explicitly specifying a Requires-Python directive, I think we can assume that this is an error and reject packages that don't have a Requires-Python.
My recommendation for migrating to the "always throw an error" version:
- Start throwing a warning when
Requires-Python is missing, with a link to the documentation on how to add Requires-Python
- Update
twine and all tools that upload packages (and setuptools, even though it's deprecated) to automatically transform that warning into an error overridable by --allow-no-python-requires
- Add a backwards-compatibility API that allows you to upload packages without
Requires-Python by configuring your upload endpoint to something not the default
- Upgrade the warning to an error, dropping support for
--allow-no-python-requires.
I think we could swap the order of 2 and 3 pretty easily - I'm guessing that updating the upload tools would be easier to do which is why I put them in this order, but 2 could be implemented in terms of 3.
In terms of time frame, I don't know how aggressive you (the Warehouse team) want to be. I think the first 3 can happen as soon as an implementation is available. It's probably a big ask to have all package maintainers switch over in a relatively short period of time, but I think a long deprecation period will be harmful given that it's likely a large number of packages are going to start dropping support for Python 2 soon, which will probably cause a ton of headaches if people aren't including Requires-Python in their metadata. Maybe a 6 months or so?
A problem I've come across many times now is that a package will drop support for an old version and they'll even add a
python_requiresdirective to theirsetup.py, only to cut a release using an old version ofsetuptoolsthat doesn't actually understand thepython_requiresdirective and thus silently fails. See, e.g. sphinx. This causes a bunch of problems because the erroneously uploaded packages now pollutepipinstalls of that package unless they are removed from PyPI or apostrelease is made.Since there is no good reason to upload a package without explicitly specifying a
Requires-Pythondirective, I think we can assume that this is an error and reject packages that don't have a Requires-Python.My recommendation for migrating to the "always throw an error" version:
Requires-Pythonis missing, with a link to the documentation on how to addRequires-Pythontwineand all tools that upload packages (andsetuptools, even though it's deprecated) to automatically transform that warning into an error overridable by--allow-no-python-requiresRequires-Pythonby configuring your upload endpoint to something not the default--allow-no-python-requires.I think we could swap the order of 2 and 3 pretty easily - I'm guessing that updating the upload tools would be easier to do which is why I put them in this order, but 2 could be implemented in terms of 3.
In terms of time frame, I don't know how aggressive you (the Warehouse team) want to be. I think the first 3 can happen as soon as an implementation is available. It's probably a big ask to have all package maintainers switch over in a relatively short period of time, but I think a long deprecation period will be harmful given that it's likely a large number of packages are going to start dropping support for Python 2 soon, which will probably cause a ton of headaches if people aren't including
Requires-Pythonin their metadata. Maybe a 6 months or so?