1.0.dev1 pushed to PyPi

[yeisonvargasf]

Hi maintainers,

I noticed that version 1.0.dev1 appears to be available on PyPI as a pre-release, but I can't find any corresponding tag, source code, or release information in this GitHub repository.

What I observed:

• Version 1.0.dev1 seems to be listed on PyPI
• No git tag for 1.0.dev1 in this repository
• No release notes or changelog entry for this version
• Latest official release is 0.28.1 (December 2024)

Expected behavior:

Typically, development versions like the historical 0.13.0.dev1 had corresponding tags and source code in the repository.

Questions:

1. Is this version legitimate and authorized?
2. Should there be a corresponding tag/source code?
3. If it's an error, should it be removed from PyPI?

If the package exists without a clear source provenance, this could potentially be a supply chain concern. I wanted to bring this to your attention to ensure the repository and PyPI are properly synchronized.

Thanks for maintaining this excellent library!

[zanieb]

I've also noticed this, and would appreciate some details.

It also looks like 1.0.0b0 was deleted, which is not ideal for downstream consumers that may have been using it.

[lovelydinosaur]

I've also noticed this, and would appreciate some details.

Wonderful yep, looking forward to catching up.

It also looks like 1.0.0b0 was deleted

The yanked 1.0.0b0 release has now been deleted, yep.

[zanieb]

Thanks for the details!

The yanked 1.0.0b0 release has now been deleted, yep.

That seems reasonable. Was the release invalid? Of course I can't see the yank reason now :) What was the motivation for deleting it?

I only noticed this because it did cause a change in our test suite downstream.

[lovelydinosaur]

That seems reasonable. Was the release invalid? Of course I can't see the yank reason now :) What was the motivation for deleting it?

Just cleanup. It was a few years old yanked prerelease.

I only noticed this because it did cause a change in our test suite downstream.

Okay. Welcome to illuminate further on any of this if helpful?

[zanieb]

Nope that's sufficient, thanks again.

[lovelydinosaur]

Is this version legitimate and authorized?

There is a prerelease on PyPI. Yes the provenance is valid.

This is some design work that I've been doing privately. (Because I've needed a different approach for a change here.)

I'll open up a discussion to talk about the design work tomorrow, and we can get a video call scheduled to give us some proper catch up time.

Should there be a corresponding tag/source code?

Currently not, no.

If it's an error, should it be removed from PyPI?

This isn't an error.

[yeisonvargasf]

Thanks for the clarification, @tomchristie. I appreciate the quick response and explanation.