Skip to content

Comments

add support for PEP 639 License Clarity#870

Merged
radoering merged 1 commit intopython-poetry:mainfrom
radoering:pep639
Aug 17, 2025
Merged

add support for PEP 639 License Clarity#870
radoering merged 1 commit intopython-poetry:mainfrom
radoering:pep639

Conversation

@radoering
Copy link
Member

@radoering radoering commented May 18, 2025
edited
Loading

Related to: python-poetry/poetry#9670
Downstream tests will be fixed in python-poetry/poetry#10413 after merging this one.

  • Added tests for changed code.
  • Updated documentation for changed code.

Summary by Sourcery

Implement PEP 639 license clarity support by adding parsing and validation for project.license-files and SPDX license expressions, bump core metadata version to 2.4, include license data in distributions, and deprecate legacy license tables and classifiers.

New Features:

  • Support the [project].license-files key with glob patterns for specifying license files.
  • Support SPDX license expressions via [project].license as a top-level string instead of the legacy table format.

Bug Fixes:

  • Raise errors when mixing legacy [project].license table definitions with license-files or invalid glob patterns.
  • Provide clear exceptions for missing or unreadable license files during package creation and metadata export.

Enhancements:

  • Bump core metadata version to 2.4 and emit License-Expression and License-File fields in built distributions.
  • Emit deprecation warnings for legacy [project].license table subkeys and deprecated license classifiers during strict validation.
  • Place license files under dist-info/licenses in built wheels and include them in source distributions.

Tests:

  • Add extensive tests for license parsing scenarios, invalid glob patterns, validation warnings, metadata generation, and builder inclusion of license files.

@sourcery-ai
Copy link

sourcery-ai bot commented May 18, 2025
edited
Loading

Reviewer's Guide

This PR implements full support for PEP 639 “License Clarity” by extending the core factory to parse new [project].license-files globs and SPDX license expressions, enhancing strict validation, bumping core metadata to 2.4, updating masonry builders to emit License-Expression and License-File fields and embed license files under dist-info/licenses, and updating/adding tests to cover all new scenarios.

Sequence Diagram: PEP 639 License Processing

sequenceDiagram
    actor Developer
    participant P as PyProjectTOML
    participant F as Factory
    participant PP as ProjectPackage
    participant M as Metadata
    participant B as Builder

    Developer->>P: Defines [project].license (SPDX)\nand [project].license-files
    F->>P: Reads pyproject.toml data
    F->>PP: _configure_package_metadata(package, project_data)
    activate F
        F->>F: canonicalize_license_expression(project_data["license"])
        PP->>PP: set package.license_expression
        F->>F: Validate license-files globs
        PP->>PP: set package.license_files (globs)
    deactivate F

    F->>F: validate(toml_data)
    activate F
        F->>F: _validate_project(project_data, result) // Validates SPDX, warns on legacy
    deactivate F

    M->>PP: from_package(package)
    activate M
        M->>M: set meta.metadata_version = "2.4"
        M->>M: set meta.license_expression (from package.license_expression)
        M->>PP: Processes package.license_files (globs from package.root_dir)
        activate PP
            PP->>PP: package.root_dir.glob(pattern)
        deactivate PP
        opt Globs match no files
            M->>M: Raise RuntimeError
        end
        M->>M: set meta.license_files (resolved relative paths)
    deactivate M

    B->>M: get_metadata_content()
    activate B
        B->>B: Writes Metadata-Version: 2.4
        opt meta.license_expression is set
            B->>B: Writes License-Expression: ...
        end
        loop for each license_file in meta.license_files
            B->>B: Writes License-File: ...
        end
    deactivate B

    B->>M: _get_legal_files()
    activate B
        B->>B: Returns files based on meta.license_files
    deactivate B

    B->>B: Includes license files (e.g., in dist-info/licenses/)
Loading

Class Diagram: PEP 639 License Handling Changes

classDiagram
    direction LR
    class Factory {
        +String _configure_package_metadata(ProjectPackage package, dict project, dict tool_poetry, Path root)
        +None _validate_project(dict project, dict result)
    }
    class ProjectPackage {
        +license_expression: NormalizedLicenseExpression
        +license_files: LicenseFileConfig
        +List~String~ all_classifiers()
    }
    class Metadata {
        +String metadata_version = "2.4"
        +String license_expression
        +Tuple~String~ license_files
        +Metadata from_package(ProjectPackage package)
    }
    class Builder {
        #Metadata _meta
        +String get_metadata_content()
        #Set~Path~ _get_legal_files()
    }
    class WheelBuilder {
        +Path prepare_metadata(Path metadata_directory)
    }

    Factory ..> ProjectPackage : configures
    Metadata ..> ProjectPackage : generated from
    Builder ..> Metadata : uses
    WheelBuilder --|> Builder
Loading

File-Level Changes

Change Details Files
Enhance factory parsing of license and license-files
  • Support new [project].license-files key: validate glob syntax and store as tuple
  • Parse string license as SPDX expression with canonicalization, fallback and warnings for invalid formats
  • Handle deprecated table-form [project].license subkeys: error when mixing with license-files, read license.text and license.file
  • Populate package.license_expression and package.license_files accordingly
 src/poetry/core/factory.py
Add strict validation rules for project license and classifiers
  • Introduce _validate_project to warn on deprecated license tables and invalid SPDX expressions
  • Warn on deprecated License :: classifiers in project.classifiers
 src/poetry/core/factory.py
Bump metadata version and compute license data
  • Update Metadata.metadata_version to 2.4
  • Add license_expression and license_files fields
  • Populate Metadata.from_package: prefer license_expression, assemble license_files via user globs or default patterns, error on unmatched globs
 src/poetry/core/masonry/metadata.py
Update builders to emit license fields and include files
  • Parameterize METADATA_BASE version and append License-Expression and multiple License-File entries
  • Modify wheel builder to copy license files into dist-info/licenses
  • Replace legacy legal file scan with explicit meta.license_files usage
 src/poetry/core/masonry/builders/builder.py
src/poetry/core/masonry/builders/wheel.py
Revise tests and fixtures for PEP 639 support
  • Extend factory tests for license expression, license-files handling, invalid globs
  • Add validation tests for license tables and classifiers
  • Cover Metadata.from_package license scenarios and file patterns
  • Adjust builder and wheel tests to expect new metadata entries and license file paths
  • Update fixtures to use new [project].license and license-files syntax
 tests/test_factory.py
tests/masonry/test_metadata.py
tests/masonry/builders/*
tests/masonry/test_api.py
tests/packages/test_package.py
tests/fixtures
Bump packaging requirement for PEP 639 support
  • Upgrade packaging dependency to >=24.2 for license expression support
 vendors/pyproject.toml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@radoering radoering mentioned this pull request May 18, 2025
Closed
@reneleonhardt
Copy link

reneleonhardt commented May 18, 2025

Wow, all this code only for parsing new license fields?

@radoering
Copy link
Member Author

radoering commented May 19, 2025

Wow, all this code only for parsing new license fields?

And we do not even do the SPDX parsing by ourselves but use packaging for that. However, there are many MUSTs and SHOULDs in the standard. This requires a lot of error handling. Apart from that I added (quite long) comments with extracts from the standard in order to understand possibly unintuitive parts of the implementation. And of course, more than half of the new code are tests.

@reneleonhardt
Copy link

reneleonhardt commented May 19, 2025

I noticed, thanks for all the work!

@radoering radoering marked this pull request as ready for review May 31, 2025 04:47
sourcery-ai[bot]
sourcery-ai bot reviewed May 31, 2025
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @radoering - I've reviewed your changes - here's some feedback:

  • The new license parsing logic in Factory._configure_package_metadata is deeply nested—consider breaking it into smaller helper methods to improve readability and maintainability.
  • Metadata.from_package and Builder._get_legal_files share very similar license‐file discovery code—extract that into a common utility to avoid duplication.
  • The parameterized license tests are quite verbose and repetitive—introduce helper fixtures or functions to encapsulate common setup and assertions.
Here's what I looked at during the review
  • 🟡 General issues: 2 issues found
  • 🟢 Security: all looks good
  • 🟡 Testing: 1 issue found
  • 🟢 Documentation: all looks good
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@radoering radoering mentioned this pull request May 31, 2025
Merged
2 tasks
@radoering radoering requested a review from a team June 5, 2025 03:53
@henryiii henryiii mentioned this pull request Jul 18, 2025
Merged
@radoering radoering merged commit e0bd006 into python-poetry:main Aug 17, 2025
17 of 18 checks passed
This was referenced Sep 13, 2025
Merged
Merged
mwalbeck pushed a commit to mwalbeck/docker-python-poetry that referenced this pull request Sep 26, 2025
@mwalbeck
Update dependency poetry to v2.2.1 (#1588)
4035454 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [poetry](https://github.com/python-poetry/poetry) ([changelog](https://python-poetry.org/history/)) | minor | `2.1.4` -> `2.2.1` |

---

### Release Notes

<details>
<summary>python-poetry/poetry (poetry)</summary>

### [`v2.2.1`](https://github.com/python-poetry/poetry/blob/HEAD/CHANGELOG.md#221---2025-09-21)

[Compare Source](python-poetry/poetry@2.2.0...2.2.1)

##### Fixed

- Fix an issue where `poetry self show` failed with a message about an invalid output format ([#&#8203;10560](python-poetry/poetry#10560)).

##### Docs

- Remove outdated statements about dependency groups ([#&#8203;10561](python-poetry/poetry#10561)).

##### poetry-core ([`2.2.1`](https://github.com/python-poetry/poetry-core/releases/tag/2.2.1))

- Fix an issue where it was not possible to declare a PEP 735 dependency group as optional ([#&#8203;888](python-poetry/poetry-core#888)).

### [`v2.2.0`](https://github.com/python-poetry/poetry/blob/HEAD/CHANGELOG.md#220---2025-09-14)

[Compare Source](python-poetry/poetry@2.1.4...2.2.0)

##### Added

- **Add support for nesting dependency groups** ([#&#8203;10166](python-poetry/poetry#10166)).
- **Add support for PEP 735 dependency groups** ([#&#8203;10130](python-poetry/poetry#10130)).
- **Add support for PEP 639 license clarity** ([#&#8203;10413](python-poetry/poetry#10413)).
- Add a `--format` option to `poetry show` to alternatively output json format ([#&#8203;10487](python-poetry/poetry#10487)).
- Add official support for Python 3.14 ([#&#8203;10514](python-poetry/poetry#10514)).

##### Changed

- **Normalize dependency group names** ([#&#8203;10387](python-poetry/poetry#10387)).
- Change `installer.no-binary` and `installer.only-binary` so that explicit package names will take precedence over `:all:` ([#&#8203;10278](python-poetry/poetry#10278)).
- Improve log output during `poetry install` when a wheel is built from source ([#&#8203;10404](python-poetry/poetry#10404)).
- Improve error message in case a file lock could not be acquired while cloning a git repository ([#&#8203;10535](python-poetry/poetry#10535)).
- Require `dulwich>=0.24.0` ([#&#8203;10492](python-poetry/poetry#10492)).
- Allow `virtualenv>=20.33` again ([#&#8203;10506](python-poetry/poetry#10506)).
- Allow `findpython>=0.7` ([#&#8203;10510](python-poetry/poetry#10510)).
- Allow `importlib-metadata>=8.7` ([#&#8203;10511](python-poetry/poetry#10511)).

##### Fixed

- Fix an issue where `poetry new` did not create the project structure in an existing empty directory ([#&#8203;10431](python-poetry/poetry#10431)).
- Fix an issue where a dependency that was required for a specific Python version was not installed into an environment of a pre-release Python version ([#&#8203;10516](python-poetry/poetry#10516)).

##### poetry-core ([`2.2.0`](https://github.com/python-poetry/poetry-core/releases/tag/2.2.0))

- Deprecate table values and values that are not valid SPDX expressions for `[project.license]` ([#&#8203;870](python-poetry/poetry-core#870)).
- Fix an issue where explicitly included files that are in `.gitignore` were not included in the distribution ([#&#8203;874](python-poetry/poetry-core#874)).
- Fix an issue where marker operations could result in invalid markers ([#&#8203;875](python-poetry/poetry-core#875)).

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS42MC40IiwidXBkYXRlZEluVmVyIjoiNDEuNjAuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Reviewed-on: https://git.walbeck.it/walbeck-it/docker-python-poetry/pulls/1588
Co-authored-by: renovate-bot <[email protected]>
Co-committed-by: renovate-bot <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@radoering @reneleonhardt