pip: pip 10.0.0.dev0 unable to find wheels off PEP 503 compliant repository

Looking closer at the original PR, it didn’t precisely “allow non-PEP 440 versions”. Pip had never forced PEP 440 versions here, all it did previously was insist that the version started with a number. That’s nothing more than a heuristic to detect where the name finishes and the version starts.

We need some heuristic - as this issue shows, allowing unrestricted versions leaves us with no means to determine in foo-bar-ver whether the package is foo-bar and the version is ver, or the package is foo and the version is bar-ver.

With that in mind, I’m more comfortable with changing the code to say that the version must not contain a hyphen - my “patching over the cracks” solution above. I’d add a comment to the code noting why we have that restriction, but otherwise leave it undocumented (officially, pip supports PEP 440, the fact that it handles non-standard names needn’t be mentioned at all in the docs). This should provide a reasonable fix for both issues - we fix this one, and we allow “nearly all” non-compliant versions (and the ones we don’t allow are not the ones that prompted the original issue report).

I am also in favour of reverting.

Pinging @xavfernandez!

Thanks a lot, everyone! Sorry to bother you about this. I’ll reopen the issue in case I run into with underscores instead of hyphens, but I doubt that will be the case. Thanks again! 🙏

@pfmoore I’m marking this as a release blocker but I guess this is a good candidate to get feedback on during the beta cycle.

My position is the same.

I’m also in favor of reverting.

Specifically, the wheel format uses dashes to separate the name from the version. If both names and versions are allowed to contain dashes, the parsing is ambiguous. The PR that added that commit was https://github.com/pypa/pip/pull/4384. @dstufft and @xavfernandez, you were in favour of the change - given the issue here, what’s your view on reverting it? Personally, I think allowing valid project names is more important than allowing invalid versions, so I’m inclined to revert.

I don’t think that normalised PEP 440 versions can contain a dash (and I hope that valid wheels will only ever use normalised versions) so an alternative might be to tighten the regexp for a version: (?P<namever>(?P<name>.+?)-(?P<ver>[^-]*?)). I’m not keen, though, as this feels like just patching over the cracks.

>>> import re
>>> re.match(r"""^(?P<namever>(?P<name>.+?)-(?P<ver>\d.*?))
...          ((-(?P<build>\d.*?))?-(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)
...          \.whl|\.dist-info)$""", "python-foo-bar-1.0.0-py2-none-any.whl", re.VERBOSE).groupdict()
{'namever': 'python-foo-bar-1.0.0', 'name': 'python-foo-bar', 'ver': '1.0.0', 'build': None, 'pyver': 'py2', 'abi': 'none', 'plat': 'any'}
>>> re.match(r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.*?))
...          ((-(?P<build>\d.*?))?-(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)
...          \.whl|\.dist-info)$""", "python-foo-bar-1.0.0-py2-none-any.whl", re.VERBOSE).groupdict()
{'namever': 'python-foo', 'name': 'python', 'ver': 'foo', 'build': None, 'pyver': 'bar', 'abi': '1.0.0', 'plat': 'py2-none-any'}

Regression testing point at 8378567b616779910d9d3df1b7d80935dab65345

@dstufft @pradyunsg Do you know why this might be happening?