Package name resolution

[trishankkarthik]

Suppose you use our version of pip to install a package from PyPI. This package lists as its requirements the packages in the list ["twisted", "flask"]. Our pip would fail to install the required packages "twisted" and "flask" because it could not find them in our metadata. How did this happen?

Asking PyPI yields a clue:

$ curl -I https://pypi.python.org/simple/twisted/
HTTP/1.1 301 Moved Permanently
Date: Wed, 14 Aug 2013 19:03:20 GMT
Location: /simple/Twisted
Cache-Control: max-age=86400, public
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes
Age: 82442

$ curl -I https://pypi.python.org/simple/flask/
HTTP/1.1 301 Moved Permanently
Date: Wed, 14 Aug 2013 19:03:41 GMT
Location: /simple/Flask
Cache-Control: max-age=86400, public
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes
Age: 84616

pip without TUF is redirected by PyPI to the correct package, but pip with TUF interposition does not have this luxury.

I have a simple patch for this problem that works by simply issuing a (non-interposed) HEAD request to PyPI to resolve the "true" names of requirements. It makes the problem largely go away (except in cases where PyPI itself does not know about the package or there is some server-side error). I may commit it later to work around this problem, but we will certainly need a better long term solution.

[trishankkarthik]

The more elegant alternative is to write a web service that will redirect /simple/ requests the way the PyPI web service does.