Interesting that maintainers of setuptools still only postpone the depreciation date for a year, so we can probably expect more issues like this in the future.
From what I gather this has basically derailed CI for the morning for the majority of places out there. Only workaround is pinning build-time dependencies, which only pip and uv seem to let you do well. Poetry is SOL / heavily cache-dependent as to whether it works.
A yank may not actually be warranted in this circumstance. The change works for most users of setuptools; it's only a very specific configuration of (build-environment, setuptools-version, third-party-dependency) that can cause an issue.
This is one of those situations where the scale of the software package is so large that even if only 0.1% of users had issue, that's a number representing tens of thousands of people.
The current approach of the maintainers terrifies me -- de facto standards should be respected. Even if something is invalid like `description-file`, if it is present in 12k repos it should raise a warning and not break anything.
In the rationale for this that I can find [1], a maintainer says the following:
> I'm inclined to say we should do it, even though it will cause some disruption.
They also say an alternative is to "accept the status quo", which is exactily what they should be doing. I can't find maintainers giving a compelling reason not to support this status quo of `long-description` as an alias to `long_description` besides "simplifying code." Code simplification should never take precedence over massive breakage of compatibility.
It seems that the person who did this acted unilaterally, with no code review, and ignored (then disabled) broken tests while landing this (https://github.com/pypa/setuptools/pull/4909). One should not be too harsh - he seems to be a student. One perhaps should be more harsh on the commerical entity sponsoring the project, though - setuptools is sponsored by Sonar via "Tidelift". According to https://tidelift.com/subscription/pkg/pypi-setuptools:
> The maintainers of setuptools get paid by Tidelift to
> implement industry-leading secure software development
> practices and document the practices they follow.
Well, that really doesn't seem so in this case now, does it?
I'm usually of the opinion of just removing stuff when it needs to be gone, but this is really an incosequential change to the setuptools code compared to how many problems it caused
"Needs to be gone" is the operative phrase here. An alias of `description-long` to `description_long` has no specific technical need to be removed.
The conditions that lead to having two tokens pointing to the same functionality should be prevented, but in this case it is a "de facto" alias which no amount reasonable amount of labor could fix.
Here is a PR which reverts this: https://github.com/pypa/setuptools/pull/4911
Interesting that maintainers of setuptools still only postpone the depreciation date for a year, so we can probably expect more issues like this in the future.