`build.check_dependency` ignores URL reqs with names that match an installed distribution

[gschaffner]

When build.check_dependency sees a URL req with a name that matches an installed distribution, it considers the URL req met. For example:

import importlib.metadata

import build


def get_version(distribution_name: str) -> str | None:
    try:
        return importlib.metadata.version(distribution_name)
    except ModuleNotFoundError:
        return None


# Some version of packaging is installed:
packaging_ver = importlib.metadata.version("packaging")
assert packaging_ver is not None and packaging_ver != "24.1"
print(
    f"{tuple(build.check_dependency("packaging @ git+https://github.com/pypa/packaging.git@24.1")) = !r}"
)

# No version of sniffio is installed:
sniffio_ver = get_version("sniffio")
assert sniffio_ver is None
print(
    f"{tuple(build.check_dependency("sniffio @ git+https://github.com/python-trio/sniffio.git@v1.3.1")) = !r}"
)

Output (in a venv with packaging==24.2 and without sniffio):

tuple(build.check_dependency("packaging @ git+https://github.com/pypa/packaging.git@24.1")) = ()
tuple(build.check_dependency("sniffio @ git+https://github.com/python-trio/sniffio.git@v1.3.1")) = (('sniffio@ git+https://github.com/python-trio/sniffio.git@v1.3.1',),)

The packaging URL req is reported as met but it is not. The sniffio URL req is correctly reported as unmet.

With check_dependency's current documentation, this seems like a bug; it should be able to verify that URL reqs are met.

Is it possible via PEP 610?

     try:
         dist = importlib.metadata.distribution(req.name)
     except importlib.metadata.PackageNotFoundError:
         # dependency is not installed in the environment.
         yield (*ancestral_req_strings, normalised_req_string)
     else:
         if req.specifier and not req.specifier.contains(dist.version, prereleases=True):
             # the installed version is incompatible.
             yield (*ancestral_req_strings, normalised_req_string)
+        elif req.url and pseudocode(dist.origin != req.url):
+            yield (*ancestral_req_strings, normalised_req_string)
         elif dist.requires:
             for other_req_string in dist.requires:
                 # yields transitive dependencies that are not satisfied.
                 yield from check_dependency(other_req_string, (*ancestral_req_strings, normalised_req_string), req.extras)

[henryiii]

I think this could be done, it seems like the parts are there. Though I'm not sure you want to be this picky with dependencies - if a @ ... is requested and someone has a installed but not specifically that version, build would fail the check, which for us is on by default. Checking these dependencies is already problematic (say if a user installs something a different way), so this could make it worse. But I think it's fairly reasonable.

[layday]

I don't think it's safe to assume that the source URL is immutable; dist.origin != req.url does not guarantee that the version hosted at req.url is the version that's installed. The only option's to either accept all URL reqs as we do now, or reject them. The latter is probably too disruptive.