Restore support for pkginfo 1.11

[jaraco]

For now, this approach retains the current behavior that an unrecognized metadata version will fail with an error.

This approach splits out the detection based on the version of pkginfo. Starting with pkginfo 1.11, it now properly detects when a metadata version is unrecognized and errors on that condition explicitly. For backward compatibility, until pkginfo 1.11 is the minimum, the check will still provide guidance to consider the metadata version when fields are missing.

Closes #1116

[jaraco]

Well, shoot. It seems that after allowing pkginfo 1.11, the type checks are failing. It seems that pkginfo.Distribution.name was str and now is str | None. Same for .version.

[woodruffw]

Random thought: is there a reason this can't constrain pkginfo ~= 1.11 in pyproject.toml? That would avoid the need for the run-time version check + some of the extra handling in this PR.

[jaraco]

Random thought: is there a reason this can't constrain pkginfo ~= 1.11 in pyproject.toml? That would avoid the need for the run-time version check + some of the extra handling in this PR.

My thought was that there are probably users still reliant on older versions, so it would be nice to have at least one release transition where users aren't forced to the newer version. I absolutely agree that after twine stabilizes, we might bump the dependency on pkginfo (and remove the compatibility logic). I coded it in such a way as to make it easy to remove the compatibility logic.

I also observed that there's already an open issue #1070 tracking the move to pkginfo 1.10, so that issue would need to be addressed first (or simultaneously) with the move to 1.11.

[satmandu]

Any progress on this? It would be nice to be able to use twine from a tagged release as opposed to having to build from this bugfix branch.

[ltworf]

Well you can get apt install twine on debian and it's patched.

[satmandu]

Well you can get apt install twine on debian and it's patched.

It certainly looks like you have patched it downstream! Thank you!

As a Maintainer for Chromebrew I'm just hoping for upstream here to patch it in a tagged release so we can stop shipping a patched release/having to maintain a patch against upstream, especially since we use twine for our own binary pip mirror.

https://metadata.ftp-master.debian.org/changelogs//main/t/twine/twine_5.1.1-3_changelog

twine (5.1.1-3) unstable; urgency=low

  * Team upload.
  * Add a real manpage for twine, and move the existing one to section 3.
    (Closes: #1029494)
  * Move the generated manpage to section 3.

 -- Salvo 'LtWorf' Tomaselli <ltworf@debian.org>  Sat, 14 Sep 2024 12:41:14 +0200

twine (5.1.1-2) unstable; urgency=medium

  * Patch: Restore support for pkginfo 1.11.
  * Revert the Build-Depends restriction on python-pkginfo.
    (Closes: #1081549)

 -- Stefano Rivera <stefanor@debian.org>  Sat, 14 Sep 2024 10:13:45 +0200

twine (5.1.1-1) unstable; urgency=high

  * Team upload.
  * New upstream release.
    + Fix compatibility with python-importlib-metadata 8.x.
  * debian/control: Add an upper version requirement for build-dependency
    python-pkginfo (<< 1.11.0~) due to upstream issue 1116. This limit
    shall be solved with the next upstream release.

 -- Boyuan Yang <byang@debian.org>  Sun, 30 Jun 2024 12:13:27 -0400

[ddelange]

Any progress on this? It would be nice to be able to use twine from a tagged release as opposed to having to build from this bugfix branch.

is there a way to use this branch within the gh-action-pypi-publish action?

maturin switched to metadata 2.4 (released 16 hours ago) and so all rust package releases will start breaking in the coming days unless they revert to 2.3 (which I guess they can't because "Metadata-Version 2.3 is invalid and now gets rejected by PyPI" ref) or this PR merges and releases

[woodruffw]

is there a way to use this branch within the gh-action-pypi-publish action?

The easiest way would probably be to have it land in a release. It might alternatively be possible to patch it in, but @webknjaz should probably opine on whether he'd like that 🙂

Taking a step back: apologies if I'm missing anything, but is there a reason twine can't go to pkginfo >= 1.11 and avoid the backwards compat complexity here? Distributions that need the older version could still use patch on this branch, but the twine that lives on PyPI/gets used by the GHA publishing action doesn't need it.

[jaraco]

Taking a step back: apologies if I'm missing anything, but is there a reason twine can't go to pkginfo >= 1.11 and avoid the backwards compat complexity here?

See this comment.

I observed that there were already objections to pinning to pkginfo>=1.10 (#1070), so chose to avoid that issue and provide a backward-compatible change. I was interested in solving that issue also and clean up the compatibility code, but planned to do it subsequently after providing an intermediate compatible release. I'd even consider making two releases in the same day, one that provides backward compatibility and one that removes that compatibility, so that users and integrators would have more flexibility.

Since @sigmavirus24 has been unresponsive to my request for clarification, this work is essentially blocked.

[satmandu]

The profile page for @sigmavirus24 suggests that he is “Taking a break from F/0SS indefinitely” — As such, is there another maintainer who may be approached about moving this forward?

[webknjaz]

@woodruffw I'd rather not have Git-based deps. If we need to pull this in, we'd have to consider vendoring+patching a-la what pip does. But I'd also need to account for pip-tools based pins management.

[ddelange]

I'm guessing a PEP440 direct reference like pip install 'twine @ https://github.com/pypa/twine/archive/refs/heads/bugfix/1116-pkginfo-warnings.zip' should be supported by pip-tools?

[jaraco]

The profile page for @sigmavirus24 suggests that he is “Taking a break from F/0SS indefinitely” — As such, is there another maintainer who may be approached about moving this forward?

If that's the case, I also believe @bhrutledge has stepped away as well, in which case I'm the last remaining active contributor on this project. I looked at the profile page of sigmavirus24, but didn't see the "taking a break" message. Can you provide a more definitive reference?

[satmandu]

The profile page for @sigmavirus24 suggests that he is “Taking a break from F/0SS indefinitely” — As such, is there another maintainer who may be approached about moving this forward?

If that's the case, I also believe @bhrutledge has stepped away as well, in which case I'm the last remaining active contributor on this project. I looked at the profile page of sigmavirus24, but didn't see the "taking a break" message. Can you provide a more definitive reference?

sigmavirus24 is no longer active

[jaraco]

I see now I missed the opportunity to add a changelog entry for this change. I'll do that in a separate PR.

[satmandu]

I see now I missed the opportunity to add a changelog entry for this change. I'll do that in a separate PR.

If you would be so kind as to tag a release thereafter. 🙏

[ddelange]

v6.0.0 has been released, thanks for the quick action here! 💥