Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

question: Private classifiers and their effect on alternate registries #10092

Closed
pawamoy opened this issue Dec 22, 2024 · 3 comments
Closed

question: Private classifiers and their effect on alternate registries #10092

pawamoy opened this issue Dec 22, 2024 · 3 comments
Labels
question Asking for clarification or support

Comments

@pawamoy
Copy link

pawamoy commented Dec 22, 2024

I recently learned that PyPI will reject package uploads if the package metadata has one or more classifiers starting with Private ::. I got interested because some of my projects have private version that should never end up on PyPI. But I was left wondering if I could really use this classifier, because my users must be able to upload the private packages to their own private registries, if they want to, and I was afraid the classifier would cause rejection in these alternate registries too. This is not addressed in official docs, but in your own docs you do say:

It does not affect security or privacy settings on alternative registries.

That's interesting! I am now curious to know if you actually checked common alternate registries (Google Cloud Platform Artifact Registry, JFrog's Artifactory, pypiserver, devpi, others?) to confirm whether they actually don't care about such classifiers 🙂

I have found #8214, in which I also posted my use-case, though didn't want to derail the conversation for this specific question.

You have great documentation, thank you for it!

@ncoghlan
Copy link

ncoghlan commented Dec 23, 2024

Private repository servers do NOT restrict the permitted trove classifiers (if they offer a classifier filtering capability at all, it's an opt-in feature when setting up a specific repository).

That's why the Private :: ... classifier convention emerged: PyPI checks it, nobody else does. The lack of documentation in the other repository server implementations is because not checking is the assumed default - PyPI checking them is the exceptional case (and hence the documented one).

For the docs reference:

@zanieb
Copy link
Member

zanieb commented Dec 23, 2024

Glad to hear you like the documentation :)

I have not personally checked other registries, but yeah from what I understand they will ignore the classifier. Of course, some registry can do whatever it wants because the specification doesn't cover this topic.

@zanieb zanieb added the question Asking for clarification or support label Dec 23, 2024
@pawamoy
Copy link
Author

pawamoy commented Dec 23, 2024

Thank you @ncoghlan, @zanieb! The point of view of "it's not standard, so alternate registries should not implement that" is reassuring, but at the same time, yeah they can do whatever they want 😅

OK I think we won't get further than this, closing! Thank you again ❤

@pawamoy pawamoy closed this as completed Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Asking for clarification or support
Projects
None yet
Development

No branches or pull requests

3 participants