pip: Package names containing a dot don't work under DevPI

  • Pip version: 8.1.2
  • Python version: 2.7.11
  • Operating System: Linux

Description:

When asked for a package name containing a dot version 8.1.2 of pip rewrites the package name with a dash instead (e.g. “foo.bar” becomes “foo-bar”). This seems to work fine on PyPI, but not on DevPI (we’re using devpi-server-2.1.4). Downgrading to version 8.1.1 of pip resolves the problem.

What I’ve run:

$ virtualenv ~/v27
New python executable in /home/myname/v27/bin/python
Please make sure you remove any previous custom paths from your /home/myname/.pydistutils.cfg file.
Installing setuptools, pip, wheel...done.
~
$ ~/v27/bin/pip list
pip (8.1.2)
setuptools (21.0.0)
wheel (0.29.0)
~
$ ~/v27/bin/pip -v -v -v install zope.interface
Collecting zope.interface
  1 location(s) to search for versions of zope.interface:
  * http://devpi.our.domain.com/our_company/prod/+simple/zope-interface/
  Getting page http://devpi.our.domain.com/our_company/prod/+simple/zope-interface/
  Starting new HTTP connection (1): webproxy.our.domain.com
  "GET http://devpi.our.domain.com/our_company/prod/+simple/zope-interface/ HTTP/1.1" 200 139
  Analyzing links from page http://devpi.our.domain.com/our_company/prod/+simple/zope-interface/
  Could not find a version that satisfies the requirement zope.interface (from versions: )
Cleaning up...
No matching distribution found for zope.interface
Exception information:
Traceback (most recent call last):
  File "/home/myname/v27/lib/python2.7/site-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/home/myname/v27/lib/python2.7/site-packages/pip/commands/install.py", line 310, in run
    wb.build(autobuilding=True)
  File "/home/myname/v27/lib/python2.7/site-packages/pip/wheel.py", line 750, in build
    self.requirement_set.prepare_files(self.finder)
  File "/home/myname/v27/lib/python2.7/site-packages/pip/req/req_set.py", line 370, in prepare_files
    ignore_dependencies=self.ignore_dependencies))
  File "/home/myname/v27/lib/python2.7/site-packages/pip/req/req_set.py", line 522, in _prepare_file
    finder, self.upgrade, require_hashes)
  File "/home/myname/v27/lib/python2.7/site-packages/pip/req/req_install.py", line 268, in populate_link
    self.link = finder.find_requirement(self, upgrade)
  File "/home/myname/v27/lib/python2.7/site-packages/pip/index.py", line 491, in find_requirement
    'No matching distribution found for %s' % req
DistributionNotFound: No matching distribution found for zope.interface

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Reactions: 17
  • Comments: 52 (21 by maintainers)

Commits related to this issue

Most upvoted comments

@pfmoore well, imho that bugfix should have been a major release (from my pov its a breaking change of interaction with external systems)

+22
RonnyPfannschmidt on May 11, 2016

devpi fix is out, see https://groups.google.com/d/msg/devpi-dev/-MgysUfZ36Q/JnqqMscrAAAJ

+8
fschulze on May 11, 2016

I’m going to close this issue since DevPI is fixed and there’s nothing actionable here on pip’s end. Thanks all!

+5
dstufft on May 11, 2016

@pfmoore im aware that the code change is small, but the behavior change is breaking

as such my opinion is, that a major release might have been better so people notice that the update might break something

as for devpi, i don’t know if the change on the server side is breaking or just cosmetic basally if it breaks users, major, if it doesn’t patch

+3
RonnyPfannschmidt on May 11, 2016

To be clear it was warning since pip 6.0 in the general case, it was an oversight that it wasn’t correctly converting a . to a - (but it was converting other characters) and pip 8.0 was when that behavior was actually converted from a warning to an error (again, still with the oversight that . wasn’t getting converted to -) and it wasn’t until 8.1.2 that we happened to inadvertently correct that oversight because one of the libraries we use did it correctly.

Unfortunately we don’t have any metrics into how people are invoking pip, what the outcomes of their commands are, or anything like that which we could use to judge impact (if we had even realized this wasn’t working correctly in the first place or that we had inadvertently fixed it) so impact tends to be judged based on gut feeling mostly and testing against PyPI itself. Prior to PEP 503 the definition of what a repository was, was literally “whatever PyPI does” so all the non PyPI implementations attempted to copy that to varying degrees of success and typically they didn’t re-evaluate that when PyPI changed until pip install <thing> actually breaks for them.

Typically I would roll this back and issue a 8.1.3 and send this specific change through some kind of deprecation process… however, the dependency we updated and the changes that caused it to actually happen are fixing other important bugs caused by the new marker support. Rolling that back will re-break some packages that are currently not able to be installed by pip 8 -> 8.1.1. It ends up being a choice between breaking those packages, or breaking things like devpi and bandersnatch, and I have to fall along the axis of fixing the things we meant to fix in 8.1.2 and letting the breaking change stay, largely because those packages don’t have much of a recourse for fixing it otherwise and this breaking change can be fixed in devpi/bandersnatch/etc instead.

+2
dstufft on May 11, 2016

@chadawagner thank you!

+1
pavelrad on Aug 26, 2016

pip 8.1.1 doesn’t have this problem.

+1
pavelrad on Aug 25, 2016

@dstufft - sadly, no one except the few dedicated souls like your good self actually read, let alone understand PEPs (for this one you’d have had to be on the pypa lists (distutils-sig, still?) or maybe python-dev? to even find out about the PEP - is that a realistic expectation for everyone who runs any python package hosting infrastructure?).

The rest of us react to stuff changing as we find out about it, most often when things break.

What makes me sad is that this change means you can no longer host a poor man’s python package repository using a filesystem and apache, unless you can guarantee no packages include dots in their names…

+1
cjw296 on May 11, 2016

@fschulze thanks for the quick fix 😃

+1
dstufft on May 11, 2016

See also, Postel’s Tarpit.

+1
dstufft on May 11, 2016

@pfmoore my understanding is that the intent was to change behavior in pip 8 and the fix life-cycle accidentally deferred that to 8.1.2

i’d prefer to only see that kind of change for major version jumps (as the intent was)

i’m well aware the current problem is unintended and i’m pretty sure i’d have done the release just as @dstufft did

this is more of a “ouch this is an accident, it should be major due to breakage we observe”

+1
RonnyPfannschmidt on May 11, 2016

For anyone using tox on Travis CI, which creates a virtualenv and installs the latest pip (even though Travis CI environment itself uses pip 6.0.7, here’s how we worked around this problem.

Add a pip.sh script to your project:

#!/bin/bash
pip install '<8.1.2'
pip install "$@"

Add to your tox.ini:

install_command = {toxinidir}/pip.sh {opts} {packages}

This will downgrade the version of pip inside the virtualenv created by tox, before installing the dependencies.

+1
mrmachine on May 11, 2016
Read more comments on GitHub
← pip: On PyPy, binary wheels broken on pip==20.0.1
pip: Pandas fails to install on latest pre-release candidate →