1. Home
  2. Categories
  3. Support
  4. PEP 700 conformance for PyPI feeds

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

PEP 700 conformance for PyPI feeds

  • 0

    Hi all,

    one can request package metadata from pypi.org like this:

    curl https://pypi.org/simple/psycopg/ -H "Accept: application/vnd.pypi.simple.v1+json" | jq .

    which returns something like this

    {
  "meta": {
    "_last-serial": 34419005,
    "api-version": "1.4"
  },
  "alternate-locations": [],
  "name": "psycopg",
  "project-status": {
    "status": "active"
  },
  "versions": [
    "3.0b1",
    ...
  ],
  "files": [
    {
      "core-metadata": {
        "sha256": "37f03f995769dc6eea1b48eeeed2b7dd778755d35f445712f989e302c1d33811"
      },
      "data-dist-info-metadata": {
        "sha256": "37f03f995769dc6eea1b48eeeed2b7dd778755d35f445712f989e302c1d33811"
      },
      "filename": "psycopg-3.0b1-py3-none-any.whl",
      "hashes": {
        "sha256": "fd510caaaa90aec11781c0581a8a03f847e35925db6de293404db87d625a44e8"
      },
      "provenance": null,
      "requires-python": ">=3.6",
      "size": 131830,
      "upload-time": "2021-09-03T21:34:46.638478Z",
      "url": "https://files.pythonhosted.org/packages/4f/09/82c50c58aa2916d0bb1f46e1c4523ab34dd0513623576d1eb2aff2107d43/psycopg-3.0b1-py3-none-any.whl",
      "yanked": false
    },
    {
      "core-metadata": false,
      "data-dist-info-metadata": false,
      "filename": "psycopg-3.0b1.tar.gz",
      "hashes": {
        "sha256": "90188a415f2132eabccfa58ae41330d3bfc1c5c410add4d6194e783521478189"
      },
      "provenance": null,
      "requires-python": ">=3.6",
      "size": 108312,
      "upload-time": "2021-08-30T04:25:06.027667Z",
      "url": "https://files.pythonhosted.org/packages/00/9a/6a9736d77056057ff9329d02499b6f3fd71d3fa0e6ef06e35331e5082254/psycopg-3.0b1.tar.gz",
      "yanked": false
    },
    ...
  ]
}

    while ProGet Version 2025.23 (Build 11) currently returns something like this

    {
  "meta": {
    "api-version": "1.1"
  },
  "name": "my-package",
  "files": [
    {
      "filename": "my_package-1.2.3-py3-none-any.whl",
      "url": "https://proget.my-company.com/pypi/my-pypi-feed/download/my-package/1.2.3/my_package-1.2.3-py3-none-any.whl",
      "requires-python": ">=3.14",
      "core-metadata": {
        "sha256": "ea6628ba83f8e99d903c34a31a75b7029b2784bca386d4291c4596512d16455f"
      },
      "hashes": {
        "md5": "e72e324c1ae5706266286d4153b61da0",
        "sha1": "7afd9775dcb2e1ec15c2d765b1b099429dd836d5",
        "sha256": "61ac54e62ddd357c2111097d34898f2249d2490a8d39f933febcb19da73d26e4",
        "sha512": "d82c3e4b7a5d5a71a0dffade0ac636689c8d8a41b5cc0412d0cf2fec1ba7c4a9248af25613a92f3352c96cb033a1466ed38c30ca33306feba091f4b2c6348d3e"
      }
    },
    ...
  ]
}

    Notably, the response from ProGet advertises PEP 700 conformance by specifying "meta.api-version": "1.1". But according to the specification there should be a versions key at the top level and a size key per file which is missing in the response from ProGet. The specification also mentions an optional upload-time key per file which is also missing here.

    I think the versions key isn't as important, but I think that size and upload-time could be really useful.

    Providing size would help tools like uv to make use of heuristics to speed up downloads which can be seen here where it sorts the wheels to be downloaded by size.

    Given the current wave of supply chain attacks (trivy, litellm, axos, ...), the upload-time key would make it possible to use dependency cooldown features like these:

    I don't mean to use dependency cooldowns for dependencies from my own ProGet instance but since I also mix in dependencies from pypi.org I urgently want to use dependency cooldowns for those dependencies from pypi.org but tools like uv and pixi will simply assume that there is no package version that satisfies the dependency cooldown period when the upload-time key is not preset. So even if upload-time is declared as optional according to PEP 700, I'd highly encourage adding it to the metadata response.

    Changing the behavior of ProGet could break existing workflows, so one would have to be careful adding new keys to the response but I'd like to hear more about what users think about adding the size and upload-time keys in particular or if even going for full PEP 700 conformance would be desirable.

    Cheers

    0 dean-houston 1 Reply
  • dean-houston
    inedo-engineer

    Hi @0xFFFFFFFF,

    Thanks for the detailed write-up and explanation.

    It looks trivial to add size and upload-time. Adding versions is probably simple, assuming it's just an array of distinct version numbers (we already have all the "packages" in context).

    It's probably fine, but just to be safe we will do this in ProGet 2026, given some of the subtle behavioral changes you mentioned ("tools like uv to make use of heuristics to speed up downloads"). For someone with an overloaded server, that might "put it over the edge".

    ProGet 2026 may be ready by the end of the month, so it's not so far away.

    -- Dean

    1
  • 0

    Hi Dean,

    Thank you very much for the reply!

    This landing in ProGet 2026 would be awesome! But of course I understand you want to be certain that those changes would not cause issues for the users, so I think having to wait a little more would be no problem for me.

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation