Skip to content

PEP 792: Project status markers in the simple index #4432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

PEP 792: Project status markers in the simple index #4432

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
ddf1f9f
PEP: Project status markers in the simple index
woodruffw May 21, 2025
e238ba3
Update peps/pep-9999.rst
woodruffw May 21, 2025
ff972d7
CODEOWNERS: dstufft owns PEP 792
woodruffw May 21, 2025
3b28def
PEP: renumber
woodruffw May 21, 2025
bae063d
Apply suggestions from code review
woodruffw May 22, 2025
b803be9
PEP 792: address more feedback
woodruffw May 22, 2025
a253d94
Apply suggestions from code review
woodruffw May 22, 2025
3965134
qualify "project" with "index-supplied"
woodruffw May 22, 2025
11ddd9f
clarify who can un-quarantine a project
woodruffw May 22, 2025
6f27d07
explain what "general" means
woodruffw May 22, 2025
1b40e31
add language about unsetting of statuses
woodruffw May 22, 2025
40a4245
future: notes on future version changes
woodruffw May 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -670,6 +670,7 @@ peps/pep-0788.rst @ZeroIntensity @vstinner
peps/pep-0789.rst @njsmith
peps/pep-0790.rst @hugovk
peps/pep-0791.rst @vstinner
peps/pep-0792.rst @dstufft
# ...
peps/pep-0801.rst @warsaw
# ...
Expand Down
371 changes: 371 additions & 0 deletions peps/pep-0792.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,371 @@
PEP: 792
Title: Project status markers in the simple index
Author: William Woodruff <[email protected]>,
Facundo Tuesca <[email protected]>
Sponsor: Donald Stufft <[email protected]>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dstufft Please can you confirm you are sponsoring this PEP?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed.

PEP-Delegate: Donald Stufft <[email protected]>
Discussions-To: https://discuss.python.org/t/79356
Status: Draft
Type: Standards Track
Topic: Packaging
Created: 08-Apr-2025
Post-History: `03-Feb-2025 <https://discuss.python.org/t/79356/>`__

Abstract
========

This PEP proposes a standardized set of project status markers, as well
as a mechanism for communicating those markers in the HTML and JSON
simple indices.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we disambiguate in the abstract to "distribution project" or the correct term in the context of package indices? I would tend to read "project status" here as relating to the source project, i.e. pyproject.toml.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be my misunderstanding, but I thought "project" was the disambiguating term: the PyPUG glossary defines both "distribution package" and "project," but the former appears to refer to a single instance (i.e. file) while the latter refers to the thing that gets packaged into distribution(s) and appears on PyPI.

Refs:

(Apologies if I'm getting this wrong, though.)

Copy link
Member

@AA-Turner AA-Turner May 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My view is that a "project" is nominally tied to a source tree / pyproject.toml (etc), and so when discussing some form of project status indicator, my expectation would be for it to relate to the project as a collection of sources. Note from the glossary "that is intended to be packaged into a Distribution".

The ideal here would be a term that captures 'project as a collection of distribution packages, as represented on a package index'. I recall some discussion with @pfmoore on the distinction between various types of 'projects' (in the context of PyPI pages & displayed licences), I'm not sure if any clarity was found there.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha, I see what you mean! Perhaps "index project" or "inside-side project" then, to clarify that this is a state within the index itself, rather than the project's distributions/source tree/etc.?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've gone with "index-supplied" as a stopgap, but happy to change further.


Rationale and Motivation
========================

The "status" of a project is an important piece of metadata, made more important
by growth in both the breadth and depth of the Python packaging ecosystem.
Both humans and tools use project statuses (or proxies for status,
such as recent activity) to determine whether the project is maintained or
otherwise suitable for consumption.

Python packaging has at least three different mechanisms for communicating
the "status" of a project:

1. Distributions can include *trove classifiers* in their metadata, as
originally specified in :pep:`301`. The list of supported classifiers is
`maintained by the PyPA <https://github.com/pypa/trove-classifiers>`_,
and includes the ``Development Status`` hierarchy. For example, a
distribution can include the ``Development Status :: 7 - Inactive``
classifier to indicate that the distribution's project is inactive.

Trove classifiers are flexible, but also come with significant limitations:
they're machine-readable and are rendered on indices like PyPI, but
they also require the maintainer to push one or more *new* distributions
each time they wish to update their project's development status.
Furthermore, because distributions are *de facto* immutable in the Python
packaging ecosystem, older distributions can't have their classifiers
updated to reflect the current status of the project.

2. Indices can mark distributions and releases as "yanked", as originally
specified in :pep:`592`. Yanked distributions are not considered
eligible for dependency resolution.

When a distribution has been yanked, it is marked with ``data-yanked``
in the HTML index and with ``yanked: bool | str`` in the JSON index.
Additionally, indices like PyPI will hide yanked distributions by default
and will render them with a notice when the user navigates directly to them.

Yanking is machine-readable like trove classifiers, but is single-purpose
rather than general-purpose: users can specify a free-form "yank reason,"
but the semantics of yanking are fixed.

3. PyPI itself has *project statuses*, which apply to the entire project
(i.e., all releases and distributions). Project statuses have both
maintainer- and index-admin-controllable states:

* PyPI administrators can "quarantine" a project. Quarantine behaves like
a strengthened yank: the project remains entirely uninstallable while
quarantined.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this by default, or does requesting an exact version stil work?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, could you clarify? I believe quarantine affects an entire project at once and always has; admins can't quarantine a single version at a time.

(Maybe this question was about yanking but placed in the wrong spot?)

Copy link
Member

@AA-Turner AA-Turner May 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"the project remains entirely uninstallable while quarantined."

When a project is yanked, I can override it by requesting a specific version. Describing quarantine in terms of yanking raised the question of if that is possible. I have interacted with yanked packages before but never quarantined (to my knowledge), so I have no idea how it works (or even when it was added, I may have missed the PEP).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, thanks for clarifying.

As implemented on PyPI, quarantine is not overridable -- it effectively persists the "shell" of a project's index response while removing the distribution file listing, meaning that installers don't see any installable distributions at all.

(or even when it was added, I may have missed the PEP).

It's a PyPI admin feature at the moment, so there was no PEP (it's effectively a structured version of the kinds of policy-based removal PyPI already did, so the machinery of it was done on PyPI and the standardizable metadata bits around surfacing it are what I'm attempting to do now 🙂).


* Project maintainers can "archive" a project. Archiving a project
disables new release and distribution uploads to that project,
but otherwise has no effect on the project's downloadability.

Project statuses are machine-readable *in principle*, but are not currently
exposed via any of PyPI's APIs. Instead, PyPI renders project statuses on
each project's user-facing (i.e. non-index) HTML.

In summary: there are multiple ways to communicate the "status" of a project in
Python packaging, but none of these mechanisms are *simultaneously* (1)
machine-readable, (2) general, (3) index-agnostic, and (4) updatable across
the entire project (instead of per-release or per-distribution).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A suggested rephrasing. A numbered list should be formatted as a list rather than inline prose.

I don't think I follow what the 'general' criterion is meant to cover?

Suggested change
In summary: there are multiple ways to communicate the "status" of a project in
Python packaging, but none of these mechanisms are *simultaneously* (1)
machine-readable, (2) general, (3) index-agnostic, and (4) updatable across
the entire project (instead of per-release or per-distribution).
In summary, there are multiple ways to communicate the "status" of a project in
Python packaging. However, none of them satisfy the four characteristics we desire.
There is no current project status indicator that is machine-readable, general,
index-agnostic, and applies to the entire project, instead of per-release or
per-distribution.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

"General" refers to the idea that project status markers, as proposed, are conceptually extensible. So they're like classifiers in that regard (since new classifiers can always be added) and unlike yanking in that regard (since yanking has a fixed meaning).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I recognize that's a murky word though, I'm very open to a better phrasing if my explanation makes sense! Maybe "future-proofed" or "extensible"?)

Copy link
Member

@AA-Turner AA-Turner May 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I appreciate all are currently defined in the positive, but perhaps "single purpose" as a no = good? "Fixed meaning" from your note above could also work.


.. csv-table::
:header: "Mechanism", "Machine-readable?", "General?", "Index-agnostic?", "Project updatable?"

"Trove classifiers", "✅", "✅", "✅", "❌"
"Yanking", "✅", "❌", "✅", "✅"
"Project statuses", "✅", "✅", "❌", "✅"

This PEP proposes adopting PyPI's project statuses as an index-agnostic
mechanism, satisfying all four conditions.

Specification
=============

This PEP specifies two aspects: a set of project status markers,
as well as their presentation in the standard HTML and JSON indices.

Project status markers
----------------------

This PEP proposes the following project status markers.

A project **MUST** have exactly one project status marker at any given time.

Indices **MAY** implement any subset of the status markers specified in this
PEP, as applicable.

``active``
~~~~~~~~~~

Description: The project is active. This is the default status for a project.

Index semantics: none.

Installer semantics: none.

``archived``
~~~~~~~~~~~~

Description: The project does not expect to be updated in the future.

Index semantics:

* The index hosting the project **MUST NOT** allow uploads of new distributions to
the project.
* The index **MUST** offer existing distributions of the project for download.

Installer semantics:

* Installers **MAY** produce warnings about a project's archival.

``quarantined``
~~~~~~~~~~~~~~~

Description: The project is considered generally unsafe for use, e.g. due to
malware.

Index semantics:

* The index hosting the project **MUST NOT** allow uploads of new distributions to
the project.
* The index **MUST NOT** offer any distributions of the project for download.

Installer semantics:

* Installers **MAY** produce warnings about a project's quarantine, although
doing so is effectively moot (as the index will not offer any distributions
for installation).

``deprecated``
~~~~~~~~~~~~~~

Description: The project is considered obsolete, and may have been superseded
by another project.

Index semantics:

* The index hosting the project **MUST** allow uploads of new distributions to
the project.
* The index **MUST** offer existing distributions of the project for download.

Installer semantics:

* Installers **MAY** produce warnings about a project's deprecation.

Status markers in the index APIs
--------------------------------

This PEP defines version 1.4 of the index APIs.

HTML index
~~~~~~~~~~

The following changes are made to the
:ref:`simple repository API <packaging:simple-repository-api-base>`:

* The index **SHALL** define the ``pypi:repository-version`` as ``1.4``.
* The index **SHOULD** add an appropriate ``pypi:project-status`` meta tag, with
a ``content`` of the project's status marker. The index **MAY** choose to omit
the ``pypi:project-status`` meta tag if the project is marked as ``active``.

For example, the following would be a valid HTML index response for
``sampleproject`` after is has been marked as ``quarantined``:

.. code-block:: html
:emphasize-lines: 5

<!DOCTYPE html>
<html>
<head>
<meta name="pypi:repository-version" content="1.4">
<meta name="pypi:project-status" content="quarantined">
<title>Links for sampleproject</title>
</head>
<body>
<h1>Links for sampleproject</h1>
</body>
</html>

Observe that, per the ``quarantined`` semantics above, the index response
contains no distribution links for the project.

JSON index
~~~~~~~~~~

The following changes are made to the
:ref:`JSON simple index <packaging:simple-repository-api-json>`:

* The index **SHALL** define the ``meta.api-version`` as ``1.4``.
* The index **SHOULD** include a ``project-status`` key in the JSON response,
with a value of the project's status marker. The index **MAY** choose to omit
the ``project-status`` key if the project is marked as ``active``.

For example, the following would be a valid JSON index response for
``sampleproject`` after is has been marked as ``quarantined``:

.. code-block:: json
:emphasize-lines: 5

{
"meta": {
"api-version": "1.4"
},
"project-status": "quarantined",
"alternate-locations": [],
"files": [],
"name": "sampleproject",
"versions": [
"1.2.0",
"1.3.0",
"1.3.1",
"2.0.0",
"3.0.0",
"4.0.0"
]
}

Observe that, like with the HTML index, the JSON response contains no
distribution links for the ``quarantined`` project.

Future Considerations
=====================

This PEP defines only four project status markers: ``active``, ``archived``,
``quarantined``, and ``deprecated``.

Future PEPs (or PyPA standards processes) may define additional project
status markers, as needed.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Am I right in understanding that further status markers would require a change to the metadata version?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think so, yeah (I don't feel confident asserting that as a manner of policy, but that seems to be the norm, and would make intuitive sense here). Do you think that makes sense to say explicitly?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps, as it means that the light-touch process can't be used. Thinking again, given this demands behaviour from both indices and installers, it would require a PEP to add a new 'status marker'.

On that note, it might be worth adding a line on the behaviour for encountering an unknown marker. It should never happen given metadata versions, I believe, but an explict 'fail' or 'ignore' might be helpful.

A


As specified in this PEP, project status markers are "bare," i.e. they
convey no additional user-controlled metadata (such as an explanation
for a project's archival).

A future PEP may choose to extend the project
status mechanism to include user-controlled metadata, in a manner similar
to the free-form text allowed during release yanking.

Security Implications
=====================

This PEP does not identify any positive or negative security implications
associated with adding project status markers.

How to Teach This
=================

Educating the Python community about this PEP has two aspects:

* Ordinary package maintainers will need to be informed of their ability to
set project status markers, e.g. to inform their downstreams that
a project has been archived or deprecated.

If this PEP is accepted, the authors of this PEP will coordinate with
PyPI on appropriate maintainer-oriented documentation and communication,
including feature announcement blog posts and updates to
`PyPI's user documentation <https://docs.pypi.org>`_.

* Installer and index maintainers will need to be informed of the new project
status markers, and how to interpret them.

If this PEP is accepted, the authors of this PEP will perform its
implementation on PyPI, serving as a reference implementation for other
indices.

This PEP does not *mandate* any changes in installer behavior. However,
if this PEP is accepted, the authors of this PEP will coordinate with
the maintainers of popular installers (e.g. ``pip``) to help each determine
the extent to which they wish to surface project statuses.

Rejected Ideas
==============

Using "reserved" keys
---------------------

One alternative to this PEP is to avoid standardizing project status
markers directly, but instead leverage existing mechanisms within the standards
to communicate them in a non-standard fashion.

For example, the `JSON simple index <packaging:simple-repository-api-json>`_
says the following:

Keys (at any level) with a leading underscore are reserved as private for
index server use. No future standard will assign a meaning to any such key.

In effect, this means that the following would be standards-compliant:

.. code-block:: json
:emphasize-lines: 5

{
"meta": {
"api-version": "1.4"
},
"_project-status": "quarantined",
"alternate-locations": [],
"files": [],
"name": "sampleproject",
"versions": [
"1.2.0",
"1.3.0",
"1.3.1",
"2.0.0",
"3.0.0",
"4.0.0"
]
}

However, this approach has several drawbacks:

* Standards-aligned tools (such as ``pip``, ``pip-audit``, and ``uv``)
may find it unacceptable to use a "reserved" key, since that key will
have no standard semantics or compatibility properties.
* The "reserved" approach is only suitable for the JSON simple index;
no equivalent mechanism exists for the HTML simple index.
This would disadvantage consumers of the HTML simple index, as well as
mirror implementations that may consume the JSON index but only expose
an HTML index.

Project markers in PyPI's non-standard JSON API
-----------------------------------------------

Another standardization-avoidance alternative is to expose project status
markers, but only in PyPI's
`non-standard JSON API <https://docs.pypi.org/api/json/>`_. PyPI has full
control over the layout of this API, and could include a ``project-status``
or similar key without needing a PEP or underscore prefix.

This has similar drawbacks as the "reserved" keys approach above,
and more generally deepens the differences between the standard
and non-standard APIs.

Multiple project status markers at once
---------------------------------------

An earlier version of this PEP considered proposing support for
multiple project markers at once. For example, a project could be marked
as both ``archived`` and ``quarantined``.

After consideration, this was rejected for complexity reasons: having multiple
project status markers requires the PEP to specify a conflict resolution
mechanism when merging their semantics, as well as as state machine for which
markers are exclusive (for example, ``active`` is conceptually exclusive with
all other markers, while ``archived`` and ``quarantined`` are conceptually
compatible with each other).

Copyright
=========

This document is placed in the public domain or under the CC0-1.0-Universal
license, whichever is more permissive.