Skip to content

Implement PEP 708 #12813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
cofiem wants to merge 9 commits into
base: main
Choose a base branch
from
Draft

Implement PEP 708 #12813

cofiem wants to merge 9 commits into from

Conversation

@cofiem
Copy link

@cofiem cofiem commented Jun 30, 2024
edited
Loading

Implement PEP 708 - "Extending the Repository API to Mitigate Dependency Confusion Attacks".

Allows pip to use Repository "Tracks" Metadata and "Alternate Locations" Metadata.

Releates to #11784

@cofiem
Copy link
Author

cofiem commented Jun 30, 2024

A simple beginning, to check that my understanding is reasonable.

I plan, but do not promise, to continue working on this as I am able.

@notatallshaw
Copy link
Member

notatallshaw commented Aug 16, 2024

FYI, you can't use modern typing in Pip while Pip still supports Python 3.8, e.g. set[str] needs to be from typing import Set; Set[str]

@cofiem
Copy link
Author

cofiem commented Jan 17, 2025

I'm no longer able to work on this PR. Someone else is welcome to take it over, or it can be closed.

@notatallshaw
Copy link
Member

notatallshaw commented Jan 17, 2025

Thanks @cofiem for letting us know, I will relay this back to the discussion community to see if someone else is sufficiently motivated to impelemt this,

@pfmoore
Copy link
Member

pfmoore commented Jan 17, 2025

Thanks @cofiem - I'll be honest, I hadn't realised that PyPI had implemented PEP 708 (thanks for your work doing that as well!) so I assumed this was relatively low priority. That's my mistake, for which I apologise. Hopefully someone else can pick this up and build on the work you've done.

@atalman
Copy link

atalman commented Mar 14, 2025
edited
Loading

Hi @cofiem please don't close this PR I believe I maybe interested in helping to land this PR.

@notatallshaw
Copy link
Member

notatallshaw commented Mar 14, 2025

please don't close this PR I believe I maybe interested in helping to land this PR.

You're welcome to open a new PR with existing and/or new commits.

@notatallshaw notatallshaw added the state: up for grabs (PR) Good idea, but needs a new champion as the PR author is busy or unreachable. label Aug 28, 2025
@sepehr-rs sepehr-rs mentioned this pull request Dec 1, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bot:chronographer:provided state: up for grabs (PR) Good idea, but needs a new champion as the PR author is busy or unreachable.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cofiem @notatallshaw @pfmoore @atalman