Reject wheel uploads where compressed tag sets are not sorted

[di]

PEP 425 states:

To allow for compact filenames of bdists that work with more than one compatibility tag triple, each tag in a filename can instead be a ‘.’-separated, sorted, set of tags.

However, as we found in #18128, PyPI is currently permitting wheel filenames with unsorted tag sets, e.g. https://pypi.org/project/pyvirtualcam/0.13.0/#pyvirtualcam-0.13.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl should be pyvirtualcam-0.13.0-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.whl

This should probably happen upstream in pypa/packaging when we parse the wheel filename, and we should probably have a deprecation period where we email warnings prior to outright blocking the upload.

[woodruffw]

xref pypa/packaging#909 for the issue on the packaging side.

[di]

For a sense of scale, currently we have very many of these, probably need to figure out some of the more common causes before starting to send notification emails:

WITH FileParts AS (
    SELECT
        filename,
        upload_time,
        REGEXP_REPLACE(filename, '\.whl$', '') AS base_name
    FROM
        release_files
    WHERE
        filename LIKE '%.whl' -- Only process wheel files
        AND upload_time >= date_trunc('month', NOW() - INTERVAL '11 months')
        AND upload_time < date_trunc('month', NOW() + INTERVAL '1 month')
),
SplitBaseName AS (
    SELECT
        fp.filename,
        fp.upload_time,
        fp.base_name,
        STRING_TO_ARRAY(fp.base_name, '-') AS base_name_parts
    FROM
        FileParts fp
),
PlatformTagStrings AS (
    SELECT
        sbn.filename,
        sbn.upload_time,
        sbn.base_name_parts[ARRAY_UPPER(sbn.base_name_parts, 1)] AS platform_tags_combined
    FROM
        SplitBaseName sbn
    WHERE
        ARRAY_UPPER(sbn.base_name_parts, 1) IS NOT NULL
),
PlatformTagArrays AS (
    SELECT
        pts.filename,
        pts.upload_time,
        pts.platform_tags_combined,
        STRING_TO_ARRAY(pts.platform_tags_combined, '.') AS platform_tags_array
    FROM
        PlatformTagStrings pts
),
FilesWithPotentiallyUnsortedPlatformTags AS (
    SELECT
        pta.filename,
        pta.upload_time,
        pta.platform_tags_array,
        (SELECT ARRAY_AGG(tag ORDER BY tag) FROM UNNEST(pta.platform_tags_array) AS tag) AS sorted_platform_tags_array
    FROM
        PlatformTagArrays pta
    WHERE
        -- Only consider filenames with multiple platform tags
        ARRAY_LENGTH(pta.platform_tags_array, 1) > 1
)
SELECT
    TO_CHAR(fwpupt.upload_time, 'YYYY-MM') AS upload_month,
    COUNT(*) AS unsorted_platform_tag_files_count
FROM
    FilesWithPotentiallyUnsortedPlatformTags fwpupt
WHERE
    fwpupt.platform_tags_array <> fwpupt.sorted_platform_tags_array
GROUP BY
    upload_month
ORDER BY
    upload_month ASC;

 upload_month | unsorted_platform_tag_files_count
--------------+-----------------------------------
 2024-06      |                             25078
 2024-07      |                             25066
 2024-08      |                             24548
 2024-09      |                             22158
 2024-10      |                             31714
 2024-11      |                             26144
 2024-12      |                             24024
 2025-01      |                             26237
 2025-02      |                             26904
 2025-03      |                             30169
 2025-04      |                             28371
 2025-05      |                             15040
(12 rows)

And for context, this is about 10% of wheels:

warehouse=> SELECT
    TO_CHAR(upload_time, 'YYYY-MM') AS upload_month,
    COUNT(*) AS wheel_files_count
FROM
    release_files
WHERE
    filename LIKE '%.whl'  -- Filter for files ending in .whl
    AND upload_time >= date_trunc('month', NOW() - INTERVAL '11 months')
    AND upload_time < date_trunc('month', NOW() + INTERVAL '1 month')
GROUP BY
    upload_month
ORDER BY
    upload_month ASC;
 upload_month | wheel_files_count
--------------+-------------------
 2024-06      |            163641
 2024-07      |            164225
 2024-08      |            169460
 2024-09      |            159555
 2024-10      |            200660
 2024-11      |            181016
 2024-12      |            169028
 2025-01      |            190112
 2025-02      |            188433
 2025-03      |            216655
 2025-04      |            218768
 2025-05      |            113765
(12 rows)

And most wheels that have multiple platform tags:

warehouse=>  SELECT
    TO_CHAR(upload_time, 'YYYY-MM') AS upload_month,
    COUNT(*) AS wheel_files_count
FROM
    release_files
WHERE
    filename LIKE '%-%-%-%-%.%.whl'  -- Filter for files ending in .whl
    AND upload_time >= date_trunc('month', NOW() - INTERVAL '11 months')
    AND upload_time < date_trunc('month', NOW() + INTERVAL '1 month')
GROUP BY
    upload_month
ORDER BY
    upload_month ASC;
 upload_month | wheel_files_count
--------------+-------------------
 2024-06      |             25498
 2024-07      |             25571
 2024-08      |             25118
 2024-09      |             22695
 2024-10      |             32464
 2024-11      |             27095
 2024-12      |             24594
 2025-01      |             27138
 2025-02      |             27990
 2025-03      |             31269
 2025-04      |             29681
 2025-05      |             16239
(12 rows)

[di]

Probably blocked on pypa/auditwheel#583 getting fixed/released.

[di]

pypa/auditwheel#584 is merged, this is now waiting on a release of auditwheel.

[di]

Additionally, the specification has been updated to be more clear in pypa/packaging.python.org#1869 (thanks @woodruffw!)

[di]

The auditwheel change was released in https://github.com/pypa/auditwheel/releases/tag/6.4.0 in May but it does not appear to have resulted in much change here:

warehouse=> WITH FileParts AS (
    SELECT
        filename,
        upload_time,
        REGEXP_REPLACE(filename, '\.whl$', '') AS base_name
    FROM
        release_files
    WHERE
        filename LIKE '%.whl' -- Only process wheel files
        AND upload_time >= date_trunc('month', NOW() - INTERVAL '11 months')
        AND upload_time < date_trunc('month', NOW() + INTERVAL '1 month')
),
SplitBaseName AS (
    SELECT
        fp.filename,
        fp.upload_time,
        fp.base_name,
        STRING_TO_ARRAY(fp.base_name, '-') AS base_name_parts
    FROM
        FileParts fp
),
PlatformTagStrings AS (
    SELECT
        sbn.filename,
        sbn.upload_time,
        sbn.base_name_parts[ARRAY_UPPER(sbn.base_name_parts, 1)] AS platform_tags_combined
    FROM
        SplitBaseName sbn
    WHERE
        ARRAY_UPPER(sbn.base_name_parts, 1) IS NOT NULL
),
PlatformTagArrays AS (
    SELECT
        pts.filename,
        pts.upload_time,
        pts.platform_tags_combined,
        STRING_TO_ARRAY(pts.platform_tags_combined, '.') AS platform_tags_array
    FROM
        PlatformTagStrings pts
),
FilesWithPotentiallyUnsortedPlatformTags AS (
    SELECT
        pta.filename,
        pta.upload_time,
        pta.platform_tags_array,
        (SELECT ARRAY_AGG(tag ORDER BY tag) FROM UNNEST(pta.platform_tags_array) AS tag) AS sorted_platform_tags_array
    upload_month ASC;

 upload_month | unsorted_platform_tag_files_count
--------------+-----------------------------------
 2024-11      |                             25140
 2024-12      |                             22783
 2025-01      |                             24940
 2025-02      |                             25597
 2025-03      |                             27831
 2025-04      |                             26058
 2025-05      |                             28473
 2025-06      |                             23402
 2025-07      |                             21658
 2025-08      |                             18074
 2025-09      |                             21841
 2025-10      |                             22454
(12 rows)

[ichard26]

Just to add on, pip and uv would like PyPI to also validate that the tags in the wheel filename match those in the dist-info WHEEL file. We've seen a few instances they don't match, causing bugs when one piece of code relies on the filename while another uses the wheel file. pypa/pip#12884

Plus, some projects are writing the compressed tag set directly into WHEEL when the wheel specification mandates that they shall be included in expanded form: pypa/pip#13709

[potiuk]

Yes - I concur, that allowing uploads of packages that do not follow the specification is somewhat wrong. And it would be great it this path is blocked.

[potiuk]

Just to add as a user - this caused this pretty uncanny issue, where in Apache Airflow, we had to switch to uv pip check instead of pip check temporarily, because the package uploaded had wrong metadata: apache/airflow#59670