Reliably analysing package dependencies requires downloading artifacts

[ncoghlan]

Currently, there are two mostly reliable ways of getting dependency information for a Python package:

• if the project publishes a suitable wheel archive, download that, and look at the METADATA file
• if the project only publishes an sdist, download that, and run "setup.py egg_info" (with setuptools injected in order to make that command available for plain distutils projects)

I've filed an RFE with pip to suggest adding a new client command to consolidate that existing logic in a more readily accessible way: pypa/pip#4691

However, longer term (after the legacy PyPI service has been shutdown and Warehouse is the sole reference implementation), it's considered desirable to have this kind of information accessible via a simple HTTPS request, rather than requiring downloading and introspection of artifacts.

This issue is intended for discussion of the elements that would need to go into that:

• metadata extraction from previously uploaded artifacts
• whether to offer a JSON-LD based interface in addition to PEP 345's Key:Value based format
• anything else that comes to mind

To set expectations appropriately: keep in mind that nothing will change server side until after the legacy PyPI service has been successfully shut down and all production operations have migrated to pypi.org.

[ghost]

One of the existing problems that has come up is that people have worked around environment markets to avoid Pip's default behavior of updating all dependencies, making static metadata impossible to recover.

[ghost]

See mwaskom/seaborn#285.