Formato de distribuição fonte¶
The current standard source distribution format is identified by the
presence of a pyproject.toml file in the distribution archive. The layout
of such a distribution was originally specified in PEP 517 and is formally
documented here.
Existe também o formato de distribuição fonte legado, implicitamente definido pelo comportamento do módulo distutils na biblioteca padrão, ao executar setup.py sdist. Este documento não tenta padronizar este formato, exceto para observar que se uma distribuição de fonte legada contém um arquivo PKG-INFO usando metadados versão 2.2 ou posterior, então ela DEVE seguir as regras aplicáveis às distribuições de fonte definidas nos metadados especificação.
Distribuições fonte também são conhecidas pela abreviação sdists.
Árvores fonte¶
A source tree is a collection of files and directories – like a version
control system checkout – which contains a pyproject.toml file that
can be used to build a source distribution from the contained files and
directories. PEP 517 and PEP 518 specify what is required to meet the
definition of what pyproject.toml must contain for something to be
deemed a source tree.
Nome de arquivo da distribuição fonte¶
O nome do arquivo de um sdist foi padronizado na PEP 625. O nome do arquivo deve estar no formato {name}-{version}.tar.gz, sendo {name} normalizado de acordo com as mesmas regras das distribuições binárias (veja Formato de distribuição binária) e {version} é a forma canonizada da versão do projeto (veja Especificadores de versão).
O nome e os componentes da versão do nome do arquivo DEVEM corresponder aos valores armazenados nos metadados contidos no arquivo.
Code that produces a source distribution file MUST give the file a name that matches
this specification. This includes the build_sdist hook of a
build backend.
Código que processa arquivos de distribuição fonte PODE reconhecer arquivos de distribuição fonte pelo sufixo .tar.gz e a presença de precisamente um hífen no nome do arquivo. O código que faz isso pode usar o nome e versão da distribuição a partir do nome do arquivo sem verificação adicional.
Formato de arquivo de distribuição fonte¶
A .tar.gz source distribution (sdist) contains a single top-level directory
called {name}-{version} (e.g. foo-1.0), containing the source files of
the package. The name and version MUST match the metadata stored in the file.
This directory must also contain a pyproject.toml in the format defined in
Especificação do pyproject.toml, and a PKG-INFO file containing
metadata in the format described in the Especificações de metadados principais specification. The
metadata MUST conform to at least version 2.2 of the metadata specification.
If the metadata version is 2.4 or greater, the source distribution MUST contain
any license files specified by the License-File field in the PKG-INFO
at their respective paths relative to the root directory of the sdist
(containing the pyproject.toml and the PKG-INFO metadata).
Nenhum outro conteúdo de um sdist é necessário ou definido. Os sistemas de construção podem armazenar qualquer informação necessária no sdist para construir o projeto.
The tarball must use the modern POSIX.1-2001 pax tar format, which specifies UTF-8 based file names. In particular, source distribution files must be readable using the standard library tarfile module with the open flag ‘r:gz’.
Source distribution archive features¶
Because extracting tar files as-is is dangerous, and the results are platform-specific, archive features of source distributions are limited.
Desempacotando com o filtro de dados¶
When extracting a source distribution, tools MUST either use
tarfile.data_filter() (e.g. TarFile.extractall(..., filter='data')), OR
follow the Unpacking without the data filter section below.
As an exception, on Python interpreters without hasattr(tarfile, 'data_filter')
(PEP 706), tools that normally use that filter (directly on indirectly)
MAY warn the user and ignore this specification.
The trade-off between usability (e.g. fully trusting the archive) and
security (e.g. refusing to unpack) is left up to the tool in this case.
Desempacotando sem o filtro de dados¶
Tools that do not use the data filter directly (e.g. for backwards
compatibility, allowing additional features, or not using Python) MUST follow
this section.
(At the time of this writing, the data filter also follows this section,
but it may get out of sync in the future.)
The following files are invalid in an sdist archive. Upon encountering such an entry, tools SHOULD notify the user, MUST NOT unpack the entry, and MAY abort with a failure:
Files that would be placed outside the destination directory.
Links (symbolic or hard) pointing outside the destination directory.
Arquivos de dispositivo (incluindo pipes).
The following are also invalid. Tools MAY treat them as above, but are NOT REQUIRED to do so:
Files with a
..component in the filename or link target.Links pointing to a file that is not part of the archive.
Tools MAY unpack links (symbolic or hard) as regular files, using content from the archive.
When extracting sdist archives:
Leading slashes in file names MUST be dropped. (This is nowadays standard behaviour for
tarunpacking.)For each
mode(Unix permission) bit, tools MUST either:use the platform’s default for a new file/directory (respectively),
set the bit according to the archive, or
use the bit from
rw-r--r--(0o644) for non-executable files orrwxr-xr-x(0o755) for executable files and directories.
High
modebits (setuid, setgid, sticky) MUST be cleared.It is RECOMMENDED to preserve the user executable bit.
Dicas adicionais¶
Tool authors are encouraged to consider how hints for further
verification in tarfile documentation apply to their tool.
Histórico¶
November 2020: The original version of this specification was approved through PEP 643.
July 2021: Defined what a source tree is.
September 2022: The filename of a source distribution was standardized through PEP 625.
August 2023: Source distribution archive features were standardized through PEP 721.
December 2024: License files inclusion into source distribution was standardized through PEP 639.