Spike: Support pypi comparison rules in Composition Analysis tools
Problem to solve
We've implemented PEP 426 name comparison rules in Category:Software Composition Analysis tools such as Dependency Scanning (Gemnasium), Continous Vulnerability Scanning, and License Scanning.
However, it turns out that pypi
and pip
implement additional rules
(when redirecting to the canonical package, or installing the package, respectively).
Examples:
- https://pypi.org/project/importlib.metadata/ (dot) redirects to https://pypi.org/project/importlib-metadata/ (hyphen)
- https://pypi.org/project/zope-event/ (hyphen) redirects to https://pypi.org/project/zope.event/ (dot)
pip behaves the same way:
-
pip install importlib.metadata
(dot) installsimportlib-metadata
(hyphen). -
pip install zope-event
(hyphen) installszope.event
(dot)
packaging.utils
might implement other rules like these.
Topic to Evaluate
Figure out the comparison rules that are missing, and what is involved in implementing them.
Tasks to Evaluate
-
Identify all the package name normalization rules implemented in packaing.utils
and not covered by PEP 426. -
Evaluate what's needed to port this to DS, CVS, and LS. -
Create issues.
Risks and Implementation Considerations
Team
-
Add workflowplanning breakdown typefeature and the corresponding ~devops::<stage>
and~group::<group>
labels. -
Ping the PM and EM.
Edited by Fabien Catteau