upload fail in middle with HTTPError: 400; This filename has already been used

[Borda]

Hello, we have seen the same failed upload for the last two releases. We have built a package as a wheel and source and used pypa/gh-action-pypi-publish@v1.8.7 to upload them to PyPI. First, it uploads the wheel, which passes, and the second source package fails in the middle. Also, this failed in middle yields that we can't re-upload the source package manually with twine.

Uploading distributions to https://upload.pypi.org/legacy/
INFO     dist/torchmetrics-1.0.1-py3-none-any.whl (712.2 KB)                    
INFO     dist/torchmetrics-1.0.1.tar.gz (420.2 KB)                              
INFO     username set by command options                                        
INFO     password set by command options                                        
INFO     username: __token__                                                    
INFO     password: <hidden>                                                     
Uploading torchmetrics-1.0.1-py3-none-any.whl
25l
  0% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.0/765.4 kB • --:-- • ?
  0% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.0/765.4 kB • --:-- • ?
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 765.4/765.4 kB • 00:00 • 11.9 MB/s
25hINFO     Response from https://upload.pypi.org/legacy/:                         
         200 OK                                                                 
Uploading torchmetrics-1.0.1.tar.gz
25l
  0% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.0/449.1 kB • --:-- • ?
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 449.1/449.1 kB • 00:00 • 148.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 449.1/449.1 kB • 00:00 • 148.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 449.1/449.1 kB • 00:00 • 148.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 449.1/449.1 kB • 00:00 • 148.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 449.1/449.1 kB • 00:00 • 148.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 449.1/449.1 kB • 00:00 • 148.9 MB/s
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 449.1/449.1 kB • 00:00 • 148.9 MB/s
25hINFO     Response from https://upload.pypi.org/legacy/:                         
         [40](https://github.com/Lightning-AI/torchmetrics/actions/runs/5542425777/jobs/10117097368#step:7:41)0 This filename has already been used, use a different version. See  
         https://pypi.org/help/#file-name-reuse for more information.           
INFO     <html>                                                                 
          <head>                                                                
           <title>400 This filename has already been used, use a different      
         version. See https://pypi.org/help/#file-name-reuse for more           
         information.</title>                                                   
          </head>                                                               
          <body>                                                                
           <h1>400 This filename has already been used, use a different version.
         See https://pypi.org/help/#file-name-reuse for more information.</h1>  
           The server could not comply with the request since it is either      
         malformed or otherwise incorrect.<br/><br/>                            
         This filename has already been used, use a different version. See      
         https://pypi.org/help/#file-name-reuse for more information.           
                                                                                
                                                                                
          </body>                                                               
         </html>                                                                
ERROR    HTTPError: 400 Bad Request from https://upload.pypi.org/legacy/        
         This filename has already been used, use a different version. See      
         https://pypi.org/help/#file-name-reuse for more information.

See full action log:

• 1.0.0 - https://github.com/Lightning-AI/torchmetrics/actions/runs/5462339923/jobs/9941573869
• 1.0.1 - https://github.com/Lightning-AI/torchmetrics/actions/runs/5542425777/jobs/10117097368

[webknjaz]

@Borda this is because files on PyPI are immutable. If you or somebody else uploaded an artifact with the same name in the past, you cannot reuse it. Even if you deleted it, even if it used to be someone else's project that got cleaned up and you got the PyPI project name.
The error isn't coming from the action but from PyPI (via twine). Nothing actionable for us, closing.

[webknjaz]

FWIW if you think there might be a bug, this would need to be reported to Warehouse and/or twine.

cc @di @woodruffw @pquentin twine version has been updated in the action recently — are you aware of any possibility/reports of the upload process misbehaving?

[webknjaz]

@di could you look into this on the PyPI side? There's no tarballs existing on the CDN it seems:

$ curl -v https://files.pythonhosted.org/packages/source/t/torchmetrics/torchmetrics-1.0.0rc1.tar.gz 2>&1 | grep location:  
< location: https://files.pythonhosted.org/packages/29/64/8507eb5eaee27b281ad71b4f4e90b2db50a5088d01f04eae77739a06976d/torchmetrics-1.0.0rc1.tar.gz

$ curl -v https://files.pythonhosted.org/packages/source/t/torchmetrics/torchmetrics-1.0.0.tar.gz 2>&1 | grep location: 

$ curl -v https://files.pythonhosted.org/packages/source/t/torchmetrics/torchmetrics-1.0.1.tar.gz 2>&1 | grep location:

[pquentin]

This is the first such report I'm seeing, but note that this is using v1.8.7 which does not include #168.

[webknjaz]

Ah, for some reason I thought this was the recent version of the action...

[webknjaz]

Their last successful sdist upload was on Jun 29, it was v1.0.0rc1. Our action's v1.8.7 was released on Jun 26. So they're a chance that the working upload was using an older action version. But if not, this would make it a PyPI problem, not twine.

[webknjaz]

In v1.8.7 the cryptography and requests pins were bumped. But since then, somebody else would also face this problem if it was related.

The only Warehouse change that looks like it could be related is pypi/warehouse#14027 — it tightens the sdist filename validation.

[Borda]

This is the first such report I'm seeing, but note that this is using v1.8.7 which does not include #168.

is this bump so critical?

this is because files on PyPI are immutable.

yes we are aware of this

If you or somebody else uploaded an artifact with the same name in the past, you cannot reuse it. Even if you deleted it, even if it used to be someone else's project that got cleaned up and you got the PyPI project name.

I personally created that project name two years ago and was most of the time the solo owner. if we used a version in the past and was removed I believe I would not be able to upload also wheel package, correct?

[webknjaz]

if we used a version in the past and was removed I believe I would not be able to upload also wheel package, correct?

Only if that version had a wheel. If the version in the past only had an sdist published, the problem would only manifest for sdists but not wheels since there's nothing to conflict with.

[Borda]

Only if that version had a wheel. If the version in the past only had an sdist published, the problem would only manifest for sdists but not wheels since there's nothing to conflict with.

interesting and could it be someone who owned the project name in the past, deleted it all and the name become available so could take it without any indication it was used in the past?

[webknjaz]

interesting and could it be someone who owned the project name in the past, deleted it all and the name become available so could take it without any indication it was used in the past?

Exactly. But I'd like to ask @di to verify this assumption. If that's the case, you'll probably hit similar problems in the future.

[pquentin]

This is the first such report I'm seeing, but note that this is using v1.8.7 which does not include #168.

is this bump so critical?

No, but it bumps various packages, including a few major versions bumps so it might have introduced a bug.

[Borda]

No, but it bumps various packages, including a few major versions bumps so it might have introduced a bug.

We have used this action version with other projects and everything of Lightning was fine...

[webknjaz]

Looks like the successful upload of Uploading torchmetrics-1.0.0rc1.tar.gz was using pypa/gh-action-pypi-publish@v1.8.6 to make the upload: https://github.com/Lightning-AI/torchmetrics/actions/runs/5409548159/jobs/9829823858#step:8:1. But I also noticed that publishing to TestPyPI with pypa/gh-action-pypi-publish@v1.8.7 succeeded: https://github.com/Lightning-AI/torchmetrics/actions/runs/5462339923/jobs/9941573869#step:7:139.

This further confirms my suspicion about somebody else having uploaded torchmetrics-1.0.0.tar.gz in the past before you got the project name.

[webknjaz]

No, but it bumps various packages, including a few major versions bumps so it might have introduced a bug.

With the recent observations, I think we can exclude problems with version bumps and possible problems twine or this action...

[webknjaz]

I wonder if the project got renamed to torch-metrics over time, this would mean that you might get conflicts with all the versions from https://pypi.org/project/torch-metrics/#history if they were also published under the old name. That's my educated guess but I can't know for sure.

[webknjaz]

Alright, I've found their commit when they renamed the project. It's enochkan/torch-metrics@d78c61a#diff-60f61ab7a8d1910d86d9fda2261620314edcae5894d5aaa236b821c7256badd7L4.
And it was bumping from v1.0.0 to v1.0.1. So if they stopped uploading after that version, maybe you won't get any more conflicts.

[webknjaz]

I suppose the only way to know which versions can't be recycled is to ask @enochkan...

[webknjaz]

@Borda one final piece of advice — switch to trusted publishing. It's not related to your current problem but is a good workflow upgrade — you'll be able to stop using the old-fashioned long-living API tokens.

[Borda]

I wonder if the project got renamed to torch-metrics over time, this would mean that you might get conflicts with all the versions from pypi.org/project/torch-metrics/#history if they were also published under the old name. That's my educated guess but I can't know for sure.

it was always torchmetrics but could it mean that names leaked?

This is quite challenging to users; you create a project which you think is new/unique without any warning, and suddenly you find many versions were already taken... shall there be some warning at least that you recycle the project name?

[Borda]

one final piece of advice — switch to trusted publishing

could you please elaborate on what you mean, is this action not trusted?

[woodruffw]

@webknjaz is referring to this: https://docs.pypi.org/trusted-publishers/

Trusted publishing is another way to authenticate and upload to PyPI, without using a username/password or a manually configured API token. The action itself is still trusted (and it's the same action as before), "trusted" in the context of "trusted publishing" refers to the fact that the CI platform (GitHub) is being trusted to obtain a temporary API token.

[di]

interesting and could it be someone who owned the project name in the past, deleted it all and the name become available so could take it without any indication it was used in the past?

Yes, this is what happened:

• 2020-11-03 19:28:11.07879 - torchmetrics-1.0.0.tar.gz was uploaded
• 2020-11-03 19:32:25.642250 - torchmetrics-1.0.1.tar.gz was uploaded
• 2020-11-03 19:35:03.173597 - the entire project was removed
• 2020-12-22 20:09:42.148400 - @Borda created the current version of the project

[di]

(I should mention that previous owners of this project name also uploaded torchmetrics-1.4.1.tar.gz and torchmetrics-0.1.tar.gz)

[Borda]

I see, my security logs starts 2020-12-22 20:09:42.148400 could not see anything before