setuptools: Newlines in the `description` field produce a malformed PKG-INFO

We discovered this accidentally by way of https://github.com/zopefoundation/zc.relation/issues/4#issuecomment-397532224: if you pass a string containing newlines to the description argument of setup(), setuptools will generate a malformed PKG-INFO.

To reproduce:

# setup.py
from setuptools import setup
setup(
    name='test-package',
    version='0.1',
    author='Blah Blah',
    author_email='blah@example.com',
    description='description\n\n',
    py_modules=['blah'],
)

(The contents of blah.py do not matter, but the file should exist.)

Run python setup.py sdist and the inspect test_package.egg-info/PKG-INFO. For me, with setuptools 39.1.0, it looks like this:

Metadata-Version: 1.0
Name: test-package
Version: 0.1
Summary: description


Home-page: UNKNOWN
Author: Blah Blah
Author-email: blah@example.com
License: UNKNOWN
Description: UNKNOWN
Platform: UNKNOWN

The extra newlines lead tools to treat the rest of the PKG-INFO as a long_description.

I would expect setuptools to complain about the newlines in the description field, or at least escape them properly (i.e. prepend whitespace, like it does for the long_description field).

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 6
Comments: 42 (22 by maintainers)

Commits related to this issue

Fix trailing newline in the short description; this was causing the README contents not to be rendered properly on PyPI (ref: pypa/setuptools#1390) — committed to enthought/ibm2ieee by mdickinson 6 years ago
Fix: Replaced license in setup with single statement. The issue is that the multiple lines in the `License` field are causing the rest of the file to be interpreted as the `Long-Description`. See ht... — committed to martisak/3gpp-citations by martisak 5 years ago
Debug setup.cfg pypa/setuptools#1390 — committed to ashwinvis/cookiecutter-pypack by ashwinvis 5 years ago
FIX(build): \n breaks pkg-metadata pypa/setuptools#1390 — committed to JRCSTU/wltp by ankostis 5 years ago
work around https://github.com/pypa/setuptools/issues/1390 — committed to meejah/txtorcon by meejah 5 years ago
setup.py: \n\n could cause wrong pypi rendering https://github.com/pypa/setuptools/issues/1390 — committed to lukeparser/lukeparser by deleted user 5 years ago
Fix 1.1.0 release These changes: - bump package version to 1.1.0 - strip the version string in setup.py in order to avoid a packaging issue https://travis-ci.org/opentracing-contrib/python-fla... — committed to Jamim/python-flask by Jamim 5 years ago
Fix 1.1.0 release (#43) These changes: - bump package version to 1.1.0 - strip the version string in setup.py in order to avoid a packaging issue https://travis-ci.org/opentracing-contrib... — committed to opentracing-contrib/python-flask by Jamim 5 years ago
remove license field newlines in https://www.gnu.org/licenses/gpl-3.0.txt was causing description failed to render error https://github.com/pypa/warehouse/issues/3664#issuecomment-552218625 http... — committed to wesinator/domainbigdata-python by wesinator 5 years ago
add files for setup / pip (#4) * add files for setup / pip #2 * remove license field newlines in https://www.gnu.org/licenses/gpl-3.0.txt was causing description failed to render error ... — committed to wesinator/domainbigdata-python by wesinator 5 years ago
fixed setup.py to address pypa/twine#454 and pypa/setuptools#1390 — committed to hashdd/pyhashdd by brad-anton 4 years ago
Add vagrantfile Fix issue with setup.py (https://github.com/pypa/setuptools/issues/1390) — committed to Koczek9/BundleGen by deleted user 4 years ago
Quick fix for #1390. Now description cannot contain a newline. — committed to pypa/setuptools by jaraco 4 years ago
Quick fix for #1390. Now description cannot contain a newline. — committed to pypa/setuptools by jaraco 4 years ago
Removing newline in description to comply with pypa/setuptools#1390 — committed to paulgavrikov/tflite2onnx by paulgavrikov 3 years ago
Remove newline in descriptor to comply with pypa/setuptools#1390 — committed to PyLops/pyproximal by mrava87 3 years ago
Removing newline in description to comply with pypa/setuptools#1390 (#55) * Removing newline in description to comply with pypa/setuptools#1390 * adding dist * removing wheel * Apply suggest... — committed to zhenhuaw-me/tflite2onnx by paulgavrikov 3 years ago
setup: Strip whitespace from description Avoid https://github.com/pypa/setuptools/issues/1390 causing a malformed PKG-INFO file to be generated. Signed-off-by: Philip Withnall <pwithnall@endlessos.o... — committed to pwithnall/dbus-deviation by pwithnall 3 years ago
fix: removes newlines from descriptions (https://github.com/pypa/setuptools/issues/1390) — committed to gdixon/goslate by gdixon 3 years ago
Remove newline from description field in setup.cfg Try to fix this issue https://github.com/cookiecutter/cookiecutter/issues/1614 Info to fix find in: * https://setuptools.pypa.io/en/latest/userg... — committed to Tonow/cookiecutter by Tonow 3 years ago

Most upvoted comments

I see the options as:

Escape newlines in the text so they aren’t interpreted as delimiters.

Raise an error whenever double newlines are found outside of long_description.

Silently s/\n+/\n/g for everything except long_description.

I think I prefer 1 as least disruptive, but I’m ambivalent between 2 and 3. 2 is more explicit, but 3 creates less “churn” (since this will just be auto-magically fixed).

We should fail hard for configurations that are invalid. There should be an error message that gives a clear indication on how to fix the problem. This is a developer API, and developers should deal with their broken code. We shouldn’t try to guess-fix broken stuff.

Do the fields/kwargs have an explicit specification of the data they expect? This should be enforced. The fields description and license obviously expect single-line data. Hence, when a newline is submitted in the data for those fields the generation of PKG-INFO should be aborted with a clear error message, e.g.

$ python3 setup.py sdist
ERROR: The "description" field requires a single line of text. Multi-line text was supplied.
Aborting.

bittner on Oct 1, 2018

setuptools 51.3.0 landed and I immediately got some error report about broken (internal) builds.

Reporting error here is not a good idea, really.

Please, don’t go that way. Drop description altogether if you don’t like it and can’t fix it, but don’t break installations. Ecosystem is huge, libraries are plenty, automated builds are numerous…

Mekk on Jan 17, 2021

Just wanted to point out that this is not limited to just the Summary field – any field with a double newline will cause the rest of the PKG-INFO file after those newlines to be interpreted as the “message body” and thus become the Long-Description.

di on Jun 18, 2018

I would have expect that setuptools does not hardly break for a simple escape all \n workaround.

It seems like an unfortunate wart to carry to support transforming \n to forever. Is that what you’re proposing, that Setuptools should allow invalid inputs and maintain responsibility for making them valid?

To be sure, Setuptools is not happy about breaking the builds. It’s conceivable we could back out the removal and restore the Deprecation warning for an extended period. Would that help?

jaraco on Nov 17, 2021

In retrospect, the change introduced was probably too aggressive, especially because it affects third-party packages and older releases. I’ll back off the change to emit a warning and remove the newlines with the intention of making the behavior invalid in the future.

jaraco on Jan 17, 2021

OK, anyone who wants to submit a PR, let’s go with a hard-failure if newlines are found in fields other than long_description.

I think the easiest way to do this is to implement the check right before PKG-INFO is actually written out. Hopefully that doesn’t disconnect the error message too much from the location where these inputs are actually being generated.

pganssle on Oct 23, 2018

@Mekk Immediately issuing a fatal error here is perhaps not a good idea (if you are affected, fetch 51.3.3 and get a warning instead), but please do recognize that if these errors break your build, your build was already subtly broken. It’s not that setuptools dropped support for newlines in the description field, it’s that it never supported them properly in the first place and produced bad and wrong output when they were encountered, only that bad and wrong output was still good enough that it still worked in most cases (though see my comment above re python_requires). Again, this is not about dropping something that used to be supported, this is turning silent breakage into loud breakage. Which I think we can all agree is a good thing.

alexshpilkin on Jan 17, 2021

Just out of curiosity: Why are newlines not possible? What breaks with newlines?

In its final form, the PKG-INFO metadata file is an RFC 822 document. Double newlines at any point in this document indicate a switch from the message headers to the message body. This causes everything after a double newline to be interpreted as part of the message body, including important metadata fields.

di on Dec 6, 2020

@bittner Not sure I follow… The validator(s) would be part of the packaging library, which would understand how to validate a field based on the field name. You shouldn’t have to do an add_validator here at all.

di on Oct 28, 2018

I’d really prefer to introduce a class for this that can encapsulate the validation logic for all values. It feels too much like spaghetti code, otherwise. I hope that’s fine.

One of my top priorities for this weekend’s sprint is to move metadata validation logic out of Warehouse and into pypa/packaging for reuse elsewhere, and this would be a good example of “elsewhere”.

The API will likely behave a lot like how it’s currently being used in Warehouse: there will be a class which is initialized with a dict adhering to JSON-compatible metadata, and an instance of that class will have a .validate() function and a .errors attribute.

If you want to move ahead with that assumption, we can probably just connect the dots later.

di on Oct 23, 2018