Convert error for ../ in license paths into deprecation warning (#4896)

Author: abravalheri

newsfragments/4896.bugfix.rst

@@ -0,0 +1,2 @@
+Temporarily convert error for license glob patterns containing ``../`` into a deprecation warning
+to allow an accomodation period.

setuptools/_core_metadata.py

@@ -207,7 +207,8 @@ def write_field(key, value):
     if self.long_description_content_type:
         write_field('Description-Content-Type', self.long_description_content_type)
 
-    self._write_list(file, 'License-File', self.license_files or [])
+    safe_license_files = map(_safe_license_file, self.license_files or [])
+    self._write_list(file, 'License-File', safe_license_files)
     _write_requirements(self, file)
 
     for field, attr in _POSSIBLE_DYNAMIC_FIELDS.items():
@@ -293,6 +294,14 @@ def _distribution_fullname(name: str, version: str) -> str:
     )
 
 
+def _safe_license_file(file):
+    # XXX: Do we need this after the deprecation discussed in #4892, #4896??
+    normalized = os.path.normpath(file).replace(os.sep, "/")
+    if "../" in normalized:
+        return os.path.basename(normalized)  # Temporarily restore pre PEP639 behaviour
+    return normalized
+
+
 _POSSIBLE_DYNAMIC_FIELDS = {
     # Core Metadata Field x related Distribution attribute
     "author": "author",

setuptools/command/bdist_wheel.py

@@ -23,6 +23,7 @@
 from wheel.wheelfile import WheelFile
 
 from .. import Command, __version__, _shutil
+from .._core_metadata import _safe_license_file
 from .._normalization import safer_name
 from ..warnings import SetuptoolsDeprecationWarning
 from .egg_info import egg_info as egg_info_cls
@@ -582,7 +583,8 @@ def adios(p: str) -> None:
 
         licenses_folder_path = os.path.join(distinfo_path, "licenses")
         for license_path in self.license_paths:
-            dist_info_license_path = os.path.join(licenses_folder_path, license_path)
+            safe_path = _safe_license_file(license_path)
+            dist_info_license_path = os.path.join(licenses_folder_path, safe_path)
             os.makedirs(os.path.dirname(dist_info_license_path), exist_ok=True)
             shutil.copy(license_path, dist_info_license_path)
 

setuptools/dist.py

@@ -496,26 +496,35 @@ def _find_pattern(pattern: str, enforce_match: bool = True) -> list[str]:
         >>> Distribution._find_pattern("../LICENSE.MIT")
         Traceback (most recent call last):
         ...
-        setuptools.errors.InvalidConfigError: ...Pattern '../LICENSE.MIT' cannot contain '..'
+        setuptools.warnings.SetuptoolsDeprecationWarning: ...Pattern '../LICENSE.MIT' cannot contain '..'...
         >>> Distribution._find_pattern("LICEN{CSE*")
         Traceback (most recent call last):
         ...
         setuptools.warnings.SetuptoolsDeprecationWarning: ...Pattern 'LICEN{CSE*' contains invalid characters...
         """
+        pypa_guides = "specifications/glob-patterns/"
         if ".." in pattern:
-            raise InvalidConfigError(f"Pattern {pattern!r} cannot contain '..'")
+            SetuptoolsDeprecationWarning.emit(
+                f"Pattern {pattern!r} cannot contain '..'",
+                """
+                Please ensure the files specified are contained by the root
+                of the Python package (normally marked by `pyproject.toml`).
+                """,
+                see_url=f"https://packaging.python.org/en/latest/{pypa_guides}",
+                due_date=(2026, 3, 20),  # Introduced in 2025-03-20
+                # Replace with InvalidConfigError after deprecation
+            )
         if pattern.startswith((os.sep, "/")) or ":\\" in pattern:
             raise InvalidConfigError(
                 f"Pattern {pattern!r} should be relative and must not start with '/'"
             )
         if re.match(r'^[\w\-\.\/\*\?\[\]]+$', pattern) is None:
-            pypa_guides = "specifications/glob-patterns/"
             SetuptoolsDeprecationWarning.emit(
                 "Please provide a valid glob pattern.",
                 "Pattern {pattern!r} contains invalid characters.",
                 pattern=pattern,
                 see_url=f"https://packaging.python.org/en/latest/{pypa_guides}",
-                due_date=(2026, 2, 20),  # Introduced in 2025-02-20
+                due_date=(2026, 3, 20),  # Introduced in 2025-02-20
             )
 
         found = glob(pattern, recursive=True)
@@ -525,7 +534,7 @@ def _find_pattern(pattern: str, enforce_match: bool = True) -> list[str]:
                 "Cannot find any files for the given pattern.",
                 "Pattern {pattern!r} did not match any files.",
                 pattern=pattern,
-                due_date=(2026, 2, 20),  # Introduced in 2025-02-20
+                due_date=(2026, 3, 20),  # Introduced in 2025-02-20
                 # PEP 639 requires us to error, but as a transition period
                 # we will only issue a warning to give people time to prepare.
                 # After the transition, this should raise an InvalidConfigError.

setuptools/tests/test_bdist_wheel.py

@@ -661,3 +661,48 @@ def test_dist_info_provided(dummy_dist, monkeypatch, tmp_path):
     assert expected - files_found == set()
     # Make sure there is no accidental egg-info bleeding into the wheel.
     assert not [path for path in files_found if 'egg-info' in str(path)]
+
+
+def test_allow_grace_period_parent_directory_license(monkeypatch, tmp_path):
+    # Motivation: https://github.com/pypa/setuptools/issues/4892
+    # TODO: Remove this test after deprecation period is over
+    files = {
+        "LICENSE.txt": "parent license",  # <---- the license files are outside
+        "NOTICE.txt": "parent notice",
+        "python": {
+            "pyproject.toml": cleandoc(
+                """
+                [project]
+                name = "test-proj"
+                dynamic = ["version"]      # <---- testing dynamic will not break
+                [tool.setuptools.dynamic]
+                version.file = "VERSION"
+                """
+            ),
+            "setup.cfg": cleandoc(
+                """
+                [metadata]
+                license_files =
+                  ../LICENSE.txt
+                  ../NOTICE.txt
+                """
+            ),
+            "VERSION": "42",
+        },
+    }
+    jaraco.path.build(files, prefix=str(tmp_path))
+    monkeypatch.chdir(tmp_path / "python")
+    msg = "Pattern '../.*.txt' cannot contain '..'"
+    with pytest.warns(SetuptoolsDeprecationWarning, match=msg):
+        bdist_wheel_cmd().run()
+    with ZipFile("dist/test_proj-42-py3-none-any.whl") as wf:
+        files_found = set(wf.namelist())
+        expected_files = {
+            "test_proj-42.dist-info/licenses/LICENSE.txt",
+            "test_proj-42.dist-info/licenses/NOTICE.txt",
+        }
+        assert expected_files <= files_found
+
+        metadata = wf.read("test_proj-42.dist-info/METADATA").decode("utf8")
+        assert "License-File: LICENSE.txt" in metadata
+        assert "License-File: NOTICE.txt" in metadata