Removal of `LegacyVersion` and `LegacySpecifier`

[pradyunsg]

This issue is an obvious follow up to #321. I'm mostly filing this to serve as the issue that the changelog points to, for coalescing the discussion/planning for this change into a single location, and for having the PR close an issue. :)

---

>>> # before 22.0
>>> packaging.version.parse("This is a completely random string")
<LegacyVersion('This is a completely random string')>

>>> # after 22.0
>>> packaging.version.parse("This is a completely random string")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "[...]/.venv/lib/python3.10/site-packages/packaging/version.py", line 52, in parse
    return Version(version)
  File "[...]/.venv/lib/python3.10/site-packages/packaging/version.py", line 197, in __init__
    raise InvalidVersion(f"Invalid version: '{version}'")
packaging.version.InvalidVersion: Invalid version: 'This is a completely random string'

This "feature" has been deprecated (#321) for nearly two years as of April 2022.

PyPI has not permitted uploading packages with invalid versions for even more years. The latest versions of pip should be rejecting/erroring out on wheels with such versions as well. The stricter metadata validation helps pip's dependency resolver's logic, along with helping the broader ecology avoid needing to deal with outside-of-standard tooling/behaviours.

For users who might be impacted by this, they have hopefully caught this issue in (a) their test suites, (b) through the "warnings" presented during the execution of legacy code, during the deprecation period, or (c) as part of warnings presented by pip.

Users who encounter breakage due to this change can adopt the following broad strategy for dealing with it:

1. Pin to an older version of packaging (or pip, if your error contains pip._vendor.packaging in the traceback), to deal with the immediate breakage.
2. Modify the versions / specifiers that they use, to be compatible with PEP 440's specification. In practice, this means that if your Requirement/Version/Specifier can be parsed by the Requirement, Version or SpecifierSet classes from this package, it can be used going forward. Notably, you won't be able to compare between legacy versions outside of the === arbitrary-equality operator.
3. Update their development/deployment processes to catch deprecation warnings before they become breakages in their workflows, or to mitigate the propagation of potentially-breaking-changes upstream making it into their development workflows.

If there's anything we can do to help you catch these issues earlier, please write your suggestion in a comment with a 💡 emoji in it (:bulb:). :)

[pradyunsg]

This is what the pip warnings/errors should look like, to users:

  WARNING: Built wheel for awesome-test-package is invalid: Metadata 1.2 mandates PEP 440 version, but 'magickarp' is not

[uranusjr]

An alternative I'd prefer over pinning the vendored packaging would be to move those legacy classes into pip and implement wrappers parse_version and parse_specifier to use instead of accessing packaging directly.

[pradyunsg]

@uranusjr I am not too keen on having pip contain legacy logic while the rest of the ecosystem is not able to use that logic. That defeats the whole point of having a shared implementation in this library. :)

The intention here is that we'd basically start rejecting these everywhere including pip -- users affected by this can pin to an older version of the relevant tools if they need to use the packages with legacy versions. PyPI has not been accepting such versions for quite a while (see #321 for the extended discussion). For pip, it is already rejecting wheels that contain such versions and this would expand that to all packages.

[uranusjr]

One problem for pip specifically is that pkg_resources loads all versions from installed packages eagerly (most other tools don’t do this), and rejecting invalid versions would break pip if the user has one package inherited from say an ancient Debian distribution. If we are to remove all support for versions, we’ll need to do some non-trivial patching to pkg_resources, or complete the importlib.metadata migration (which would take a lot of time even if we start right now, and we have not even had the change merged yet…)

[pradyunsg]

Pinning this for visibility, since this has now been released.