Spike: Support pypi comparison rules in Composition Analysis tools

Problem to solve

We've implemented PEP 426 name comparison rules in Category:Software Composition Analysis tools such as Dependency Scanning (Gemnasium), Continous Vulnerability Scanning, and License Scanning.

However, it turns out that pypi and pip implement additional rules (when redirecting to the canonical package, or installing the package, respectively).

Examples:

https://pypi.org/project/importlib.metadata/ (dot) redirects to https://pypi.org/project/importlib-metadata/ (hyphen)
https://pypi.org/project/zope-event/ (hyphen) redirects to https://pypi.org/project/zope.event/ (dot)

pip behaves the same way:

pip install importlib.metadata (dot) installs importlib-metadata (hyphen).
pip install zope-event (hyphen) installs zope.event (dot)

packaging.utils might implement other rules like these.

Topic to Evaluate

Figure out the comparison rules that are missing, and what is involved in implementing them.

Tasks to Evaluate

Identify all the package name normalization rules implemented in packaing.utils and not covered by PEP 426.
Evaluate what's needed to port this to DS, CVS, and LS.
Create issues.

Risks and Implementation Considerations

Team

Add workflowplanning breakdown typefeature and the corresponding ~devops::<stage> and ~group::<group> labels.
Ping the PM and EM.

Edited Feb 05, 2024 by Fabien Catteau