Marker referencing 'platform_release' fails to evaluate on Linux systems with non-PEP 440 kernel versions

[diazona]

In a conversation on Mastodon, @kevinbowen777 reported an error with a failing version comparison when installing py5 with pdm. With @py5coding and myself, we tracked the cause to markers like platform_release >= "20.0" and sys_platform == "darwin" that appear in the pdm lock file. Specifically, on Linux, platform_release evaluates to the full Linux kernel version as returned by uname -r, which might be something like 6.1.0-17-amd64 (on Kevin's system) or 6.7.0-gentoo (on mine), and so when packaging applies PEP 440 version comparison logic to that version number, it raises an InvalidVersion error.

Here's a simple reproduction on my system:

>>> import packaging.markers
>>> marker = packaging.markers.Marker('platform_release >= "20.0"')
>>> packaging.markers.default_environment()
{'implementation_name': 'cpython', 'implementation_version': '3.12.1', 'os_name': 'posix', 'platform_machine': 'x86_64', 'platform_release': '6.7.0-gentoo', 'platform_system': 'Linux', 'platform_version': '#1 SMP PREEMPT_DYNAMIC Sun Jan 14 21:02:35 PST 2024', 'python_full_version': '3.12.1', 'platform_python_implementation': 'CPython', 'python_version': '3.12', 'sys_platform': 'linux'}
>>> m.evaluate()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.12/site-packages/packaging/markers.py", line 252, in evaluate
    return _evaluate_markers(self._markers, current_environment)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/packaging/markers.py", line 158, in _evaluate_markers
    groups[-1].append(_eval_op(lhs_value, op, rhs_value))
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/packaging/markers.py", line 116, in _eval_op
    return spec.contains(lhs, prereleases=True)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/packaging/specifiers.py", line 568, in contains
    normalized_item = _coerce_version(item)
                      ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/packaging/specifiers.py", line 36, in _coerce_version
    version = Version(version)
              ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/packaging/version.py", line 200, in __init__
    raise InvalidVersion(f"Invalid version: '{version}'")
packaging.version.InvalidVersion: Invalid version: '6.7.0-gentoo'

I know it's not terribly common for packages to use the platform_release marker, but evidently it does happen; in this case when installing py5, something is conditionally depending on pyobjc and is using platform_release to express that condition. And I didn't find anything in the documentation indicating that this sort of thing shouldn't be allowed. So it certainly at least looks like an issue that needs to be worked around.

This is pretty similar to #678, but that issue was about the Python runtime version, where there's a bit of an argument to be made that CPython should stick to PEP 440-compatible version numbers. I'm pretty sure that argument isn't going to fly for distribution-packaged Linux kernel versions. I wasn't sure if you'd rather have a separate issue or just a comment on #678, but I figured I'd start with this and you can absorb it into that other issue if you want.

---

Original example with pdm and py5

$ pdm init --python python3.12 --lib --backend pdm-backend --non-interactive
Creating a pyproject.toml for PDM...
Virtualenv is created successfully at /home/diazona/tmp/py5_test/.venv
Project is initialized successfully
$ pdm add --no-sync py5
Adding packages to default dependencies: py5
🔒 Lock successful
Changes are written to pyproject.toml.
$ pdm install -v
STATUS: Resolving packages from lockfile...
Traceback (most recent call last):
  File "/home/diazona/.local/bin/pdm", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/core.py", line 288, in main
    return Core().main(args or sys.argv[1:])
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/core.py", line 208, in main
    raise cast(Exception, err).with_traceback(traceback) from None
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/core.py", line 203, in main
    self.handle(project, options)
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/core.py", line 157, in handle
    command.handle(project, options)
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/cli/commands/install.py", line 100, in handle
    actions.do_sync(
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/cli/actions.py", line 222, in do_sync
    candidates = resolve_candidates_from_lockfile(project, requirements, groups=list(selection))
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/cli/actions.py", line 154, in resolve_candidates_from_lockfile
    return {
           ^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/models/repositories.py", line 605, in evaluate_candidates
    and not can.req.marker.evaluate(self.environment.marker_environment)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/models/markers.py", line 50, in evaluate
    return self.inner.evaluate(environment)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/dep_logic/markers/multi.py", line 139, in evaluate
    return all(m.evaluate(environment) for m in self.markers)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/dep_logic/markers/multi.py", line 139, in <genexpr>
    return all(m.evaluate(environment) for m in self.markers)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/dep_logic/markers/single.py", line 50, in evaluate
    return pkg_marker.evaluate(environment)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/packaging/markers.py", line 252, in evaluate
    return _evaluate_markers(self._markers, current_environment)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/packaging/markers.py", line 158, in _evaluate_markers
    groups[-1].append(_eval_op(lhs_value, op, rhs_value))
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/packaging/markers.py", line 116, in _eval_op
    return spec.contains(lhs, prereleases=True)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/packaging/specifiers.py", line 568, in contains
    normalized_item = _coerce_version(item)
                      ^^^^^^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/packaging/specifiers.py", line 36, in _coerce_version
    version = Version(version)
              ^^^^^^^^^^^^^^^^
  File "/home/diazona/.local/pipx/venvs/pdm/lib/python3.12/site-packages/packaging/version.py", line 200, in __init__
    raise InvalidVersion(f"Invalid version: '{version}'")
packaging.version.InvalidVersion: Invalid version: '6.7.0-gentoo'

It's worth noting that we haven't figured out how to reproduce this with any other package installer besides pdm. We haven't figured out why exactly that is; evidently there's something that pdm is doing and others don't which is involved in triggering the error. But, considering the simple example I posted above, this clearly doesn't need pdm to be reproducible, and it didn't seem like pdm is using Marker.evaluate() incorrectly, which is why I'm reporting it here rather than to pdm.

[sbidoul]

The relevant part of PEP 508 seems to be this:

Comparisons in marker expressions are typed by the comparison operator. The <marker_op> operators that are not in <version_cmp> perform the same as they do for strings in Python. The <version_cmp> operators use the PEP 440 version comparison rules when those are defined (that is when both sides have a valid version specifier). If there is no defined PEP 440 behaviour and the operator exists in Python, then the operator falls back to the Python behaviour.

so in this case it should fall back to a string comparison?

[pradyunsg]

Huh, it should indeed. A PR fixing this would be welcome!

[ichard26]

I took a stab in PR #816. I hope that there aren't any devious edge cases in the details, although honestly I would not be surprised 🙃

[diazona]

Thanks!

I think the wording of the PEP could lead to what might be considered some odd edge cases, like the example you put where 20.0 compares as less than 6.7.0-gentoo, but if that's going to be a problem, the specification would be the place to fix it.

[wimglenn]

The odd edge cases are also mentioned here
astral-sh/uv#3917 (comment)

[sbidoul]

In packaging<22 (pip<24.1), it seems these cases were handled with something more intuitive than a string comparison, that was not standard compliant.

Today, we are in a situation that fails explicitly in such cases which, in a way, is good, or at least better than changing behavior silently.

So if I read correctly, no packaging version has ever been standard compliant for these cases.

Since the standard will lead to a non-intuitive solution, and (pip) users did rely on the intuitive solution of packaging<22, maybe there is a case to be made to go back to the standard drawing board first, instead of merging #816. Even if that takes quite some time, affected users can stick to packaging<22 or pip<24.1.

If we implement the standard today, it will be a breaking changes for folks who relied on the previous behavior, it will likely please no-one, and it will also lead to a situation that will be much harder to change if/when we want to change the standard because it would then be another breaking change.

[wimglenn]

I agree with @sbidoul that the spec should be updated directly. Updating pip/packaging to be in line with the existing spec first is a step in the wrong direction, because the string comparison fallback does not seem sensible or useful.

Is that _legacy_cmpkey equivalent to a distutils LooseVersion comparison? Perhaps it would be simple enough to specify formally in an amendment to PEP 508?

[diazona]

Hmm okay... if the spec is to be updated, would the goal be to formalize the behavior that pip/packaging has used in the past? Or would this be an opportunity to rethink the whole thing and come up with a potentially fresh and more sensible way of handling non-PEP 440 version numbers than lexicographic comparison?

In the latter case, I'd be willing to help advance a discussion about what the spec should say, if I knew some people with more established reputations than myself - like you all - would be interested in having it. (as per this discussion on the PR) Or, even in the former case (formalize the historical behavior) I'd be happy to help too, but I think I have little value to add in that situation.

Some ideas I've been throwing around in my head

• Add a new environment marker that is based on `platform_release` but is guaranteed to contain a PEP 440-compatible version
• Taking that a little further, I wonder if it'd make sense to register a notion of a marker's "type", either string or version number, and have comparison operators involving that marker work accordingly
• If the marker value is not a PEP-440 compatible version, extract the longest prefix that is and use that for comparison (this was just an idle comment about test coverage, but if we're brainstorming new alternatives it's an option)

This is not to derail the issue with discussion of what a change proposal (if there is one) should be; just making the point that there's enough material to start that discussion in whatever venue is appropriate.

[brettcannon]

FYI the spec for environment markers can be found at https://packaging.python.org/en/latest/specifications/dependency-specifiers/#environment-markers and it mirrors what's in PEP 508, but the spec is authoritative.

Since the standard will lead to a non-intuitive solution, and (pip) users did rely on the intuitive solution of packaging<22

That means it hasn't been that way since 2021, so a good amount of users have moved on.

maybe there is a case to be made to go back to the standard drawing board first

If someone wants to bring this up on discuss.python.org and try to get consensus then please feel free to! We don't have to rush to fix this, but we shouldn't leave it in a non-compliant state forever, either.

it will likely please no-one

It will at least please me as this issue can be closed. 😁

Is that _legacy_cmpkey equivalent to a distutils LooseVersion comparison? Perhaps it would be simple enough to specify formally in an amendment to PEP 508?

The problem w/ that is it assumes that even that is lax enough to parse every Linux distro version. The string fallback has the feature of being simple and it never fails for anyone. But if we try to be clever it could still lead to complaints about why doesn't my Linux distro's version get parsed? And as the project that's going to have to field those complaints, it doesn't make me want to try and change the spec to add a potential 3rd layer to the marker comparison logic.

[wimglenn]

That means it hasn't been that way since 2021, so a good amount of users have moved on.

I disagree on this point, pip was vendoring packaging < 22 until pretty recently, and the majority of users would be using packaging via pip as an installer, not using a packaging release directly.

• https://github.com/pypa/pip/blob/24.0/src/pip/_vendor/vendor.txt packaging==21.3 (pip 24.0 - Feb 2024)
• https://github.com/pypa/pip/blob/24.1/src/pip/_vendor/vendor.txt packaging==24.1 (pip 24.1 - Jun 2024)

Personally, I noticed because uv pip behaved differently to pip.

[notatallshaw]

Yeah, only pip users who have moved to pip 24.1+ have been subject to these rules.

And IMO pip users most likely to struggle with these rules are the ones using OS distributed versions of pip, on LTS versions of their OS, and may not upgrade to pip 24.1+ for several years still, e.g. I work with a team currently standardized on pip 19.1, so there may be a very long tail of users hitting this problem.

[brettcannon]

only pip users who have moved to pip 24.1+ have been subject to these rules.

Fair enough, my mistake as I thought pip was keeping up more.

Regardless, this project is not in the business of going against standards, so someone will have to get the spec changed for us to implement something different than what's on packaging.python.org.

[notatallshaw]

Fair enough, my mistake as I thought pip was keeping up more.

FYI updating to packaging 22.0+ was a difficult vendoring for pip pypa/pip#11715 / pypa/pip#12300

[edwardpeek-crown-public]

Going on a slight tangent, this issue seems to be exacerbated by the markers being evaluated eagerly. A number of packages have markers ordered like (sys_platform == "darwin" and platform_release >= "23.0") which if evaluated lazily would circumvent this issue.

Such a change could be a good intermediate solution as updating the standard could take a while.

[mixmastamyk]

This has broken my project(s) for months, can someone fix this? Looks like there is already a pull request mitigation above.

[notatallshaw]

This has broken my project(s) for months, can someone fix this? Looks like there is already a pull request mitigation above.

Does it look like #834 would help?

[mixmastamyk]

Yes, because the error happens on Linux and the test is only valid on Windows:

install_requires = (
    'colorama;  os_name == "nt" and platform_version < "10.0.10586" ',
)

Seems the boolean AND should exit at the first False.

[edwardpeek-crown-public]

I'm eager for the mitigation to get merged as well, but can't see any contributor info on etiquette to getting a maintainer to look at it.

Pinging @brettcannon since you've reviewed the last bunch of stuff that's been merged.

[wimglenn]

Some arguments against that change in #834:

1. This can't just be yeeted out there and called an implementation detail; if the change were made, the spec ought to be updated to explicitly mandate that the logic is short-circuiting. Is or going to specified as short-circuiting too?
2. During the mitigation period, these markers would behave differently:
   'pkg; sys_platform == "foo" and platform_release < "1.2"'
'pkg; platform_release < "1.2" and sys_platform == "foo"'
   it seems like a step backwards - intuitively, they should behave identically. (this has since been fixed in the PR)
3. This doesn't actually fix the bug, it just makes it more obscure. Now we require some arcane knowledge about how best to order markers so that you don't trigger this bug on platform xyz? Does it become 'best practice' to put platform_release in the last position now? Sweeping it under the rug makes the whole situation more complicated.

It feels like a bandaid solution, I can't support it.

[notatallshaw]

I would like to offer some counterpoints:

This can't just be yeeted out there and called an implementation detail; if the change were made, the spec ought to be updated to explicitly mandate that the logic is short-circuiting.

A PR to follow the spec #816 was rejected as not being user friendly.

So if #834 is rejected for not being explicitly condoned by the spec, even though it's more user friendly, that leaves no way forward unless someone experienced enough with packaging specifications and interacting with the packaging community and has an interest in fixing this to update the spec and packaging. And so far no packaging maintainers has been interested in doing that, it would be extremely onerous on a packaging user to do this.

Is or going to specified as short-circuiting too?

That seems natural.

intuitively, they should behave identically.

IMO "behave" is doing a lot heavy lifting, it's not like they are returning a different value, one is throwing an error and the other is returning a value. Does the spec say anything about errors or exceptions?

This doesn't actually fix the bug, it just makes it more obscure.

The PR to fix the bug was rejected as being a bad user experience. This improves the user experience.

Now we require some arcane knowledge about how best to order markers so that you don't trigger this bug on platform xy

Short circuiting is very common for anything that implements Boolean logic. I don't imagine it difficult to explain it to users.

[mixmastamyk]

Right, it's not arcane. Rather the opposite, with a half century of prior art. Am surprised it never worked that way, but better late than never.

It is true that this pull request is only one part of a complete fix. There are at least two bugs here, and the pull request fixes one. On the plus side, the two issues are not directly connected and one fix need not hold back the other.

[wimglenn]

The problem w/ that is it assumes that even that is lax enough to parse every Linux distro version.

Well, isn't it? The docstring does say "there is no such thing as an invalid version number under this scheme", does anyone have a counter-example to offer?

[wimglenn]

IMO "behave" is doing a lot heavy lifting, it's not like they are returning a different value, one is throwing an error and the other is returning a value. Does the spec say anything about errors or exceptions?

It does, yeah. Ctrl+f for "an error" in PEP 508 finds them. The relevant considerations for this issue are the operators which aren't supported in Python, i.e. ~= and ===, they should cause an error on fallback. And there's "Unknown variables must raise an error rather than resulting in a comparison that evaluates to True or False".

So, the logic in #834 is running afoul of the spec in another (new) way: it could cause a marker like sys_platform = "foo_os" and python_version ~= "blort" to return False early when it should be an error upfront due to the unsupported operator. There's a notion in Python that errors should never pass silently, and False and 1 ~= 2 is already a SyntaxError in Python despite the short-circuiting boolean logic of and. (this has since been addressed).

This improves the user experience.

I'm not sure I agree on this. It complicates things. The short-circuiting might improve matters for metadata which had sys_platform == "foo" and platform_release < "1.2" and the op which can error is already on the RHS. But what about a package which had platform_release < "1.2" and sys_platform == "foo", what's the path forward for that case? Maintainer is expected to go and yank that version and then rewrite the markers in the other order and publish a post-release, just to make the dependency resolver find the right way? This is the kind of arcane knowledge I'm worried about, not the simple matter of understanding how the short-circuiting boolean logic itself actually works. (this has since been addressed).

no way forward unless someone ... update the spec and packaging

It does seem that way, yes.

[notatallshaw]

This improves the user experience.

I'm not sure I agree on this. It complicates things. The short-circuiting might improve matters for metadata which had sys_platform == "foo" and platform_release < "1.2" and the op which can error is already on the RHS. But what about a package which had platform_release < "1.2" and sys_platform == "foo",

That's a net improvement to the user experience, and something that can be recommended on how to write metadata.

So, the logic in #834 is running afoul of the spec in another (new) way: it could cause a marker like sys_platform = "foo_os" and python_version ~= "blort" to return False early when it should be an error upfront due to the unsupported operator.

That’s an implementation issue, not a shortcoming of short-circuiting, a pass for illegal syntax could be done before evaluating the operations. Why not leave a PR review?

There's a notion in Python that errors should never pass silently, and False and 1 ~= 2 is already a SyntaxError in Python despite the short-circuiting boolean logic of and.

That's a syntax error, not a runtime comparison error, you've constructed a scenario related to illegal syntax that no one has asked to work, the ask is for short-circuiting value evaluation which would look far more like this in Python:

def error():
    raise RuntimeError

result = False and error()
if not result:
    print("No error")

In this example even though error always throws an exception, and error() is syntactically called, the code does not throw an exception.

no way forward unless someone ... update the spec and packaging

It does seem that way, yes.

Another suggestion for users who want their tooling to work, and don't need this metadata to work for other users, they could try uv, which doesn't rely on packaging.

[edwardpeek-crown-public]

I've amended my PR to make it work irrespective of the ordering of marker clauses.

Ultimately the call that needs to be made is, if a package

• Was previously installing fine under older versions of packaging/pip
• Itself confirms to PEP 508
• Is not influenced by the potentially ambiguous version comparison semantics (due to guard expressions)

Should packaging/pip fail on it? If "no" then some kind of mitigating fix should be made given that other "proper" change attempts have stalled out.

[wimglenn]

That looks like an improvement and resolves some of my concerns (I'll strike them out above). I still have some reservations, but it's a more convincing PR now.

Maybe you can also add these test cases:

            (
                "sys_platform == 'foo_os' and python_version ~= 'blort'",
                {"sys_platform": "bar_os", "platform_release": "1.2.3-invalid"},
                UndefinedComparison,
            ),
            (
                "sys_platform == 'foo_os' or platform_release >= '4.5.6'",
                {"sys_platform": "foo_os", "platform_release": "1.2.3-invalid"},
                True,
            ),

Also, as a minor point I think that the try/except used within the test body isn't ideal - suppose the "expected" result is a boolean, but the marker evaluation raises. In that case we'll go into the except branch and do something like isinstance(e, expected), which is going to make a TypeError since the second argument to isinstance is not allowed to be a boolean. So a test failure will be misrepresented as a test error. Would be better if the tests fail with AssertionError, which you can get by changing try/except into a conditional on the expected type, or just moving the raising cases into a different test parametrization entirely.

[diazona]

For what it's worth, it's been on my radar to try to start a discussion about changing the spec when I have time to properly follow that through. As I'm sure everyone understands, it's not a simple problem and I wouldn't want to give it a half-hearted attempt at a solution. The recent discussion here is quite helpful.

This is not to say that anyone else couldn't propose a change to the spec if they want to - I'm not claiming dibs on that approach. Just reassuring people that it hasn't been forgotten.