Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PEP 440: Total Character Length Limit for Version Scheme #2876

Closed
RobertRosca opened this issue Nov 8, 2022 · 3 comments
Closed

PEP 440: Total Character Length Limit for Version Scheme #2876

RobertRosca opened this issue Nov 8, 2022 · 3 comments

Comments

@RobertRosca
Copy link

As described in pypi/warehouse#12483, there is no limit on the total character length of the version specifier. This can lead to potential issues, either due to deliberate abuse or by accident, if the version is extremely long and hits file name or file path length limits on the filesystem.

So far this only seems to have been encountered within projects which are mirroring PyPA (pypa/bandersnatch#1200, pypa/bandersnatch#1228, tuna/issues#1538), likely because no major projects have versions long enough to cause an issue.

Out of curiosity I dug into this a bit, with google big query, for all packages in the-psf.pypi.distribution_metadata the summary is:

count    7.902727e+06
mean     6.598360e+00
std      3.552846e+00
min      1.000000e+00
25%      5.000000e+00
50%      5.000000e+00
75%      7.000000e+00
99%      2.200000e+01
max      2.350000e+02

Out of 7,902,727 published package versions there are:

  • 337,624 over 16 characters
  • 697 over 32 characters
  • 407 over 64 characters

It's kind of surprising to me that hundreds of releases have such long versions 😕 either way, overall 99.991% of versions have less than or equal to 32 characters.

There's actually a discussion about this on semver semver/semver#304 but I don't think any limit was set in the specification, although practically there is a limit as major/minor/patch get parsed as integers and JS' max safe integer is 9007199254740991, which in total means the max string length is 50 characters for node js.

PEP 440 says that "the versioning specification may be updated with clarifications without requiring a new PEP or a change to the metadata version", IMO adding a 'sensible' (whatever that may be) limit to the total character length of the version specification would fit into this.

@JelleZijlstra
Copy link
Member

Adding a limit seems sensible but the PEPs repo isn't the right place to have this discussion. I'd recommend opening a discussion at https://discuss.python.org/c/packaging/14, and when consensus develops we can update the PEP and/or the packaging spec (not sure whether there's a corresponding spec for this PEP).

@RobertRosca
Copy link
Author

RobertRosca commented Nov 8, 2022

Aha I wasn't too sure, thanks for the help!

I've created a thread here: https://discuss.python.org/t/pep-440-total-character-length-limit-for-version-scheme/20880

@CAM-Gerlach
Copy link
Member

(not sure whether there's a corresponding spec for this PEP).

Not yet, but it could be another PEP and could be referenced there.

Thanks!

@CAM-Gerlach CAM-Gerlach closed this as not planned Won't fix, can't repro, duplicate, stale Nov 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants