news/11847.bugfix.rst

+Prevent downloading files twice when PEP 658 metadata is present

news/12063.removal.rst

+Deprecate legacy version and version specifiers that don't conform to `PEP 440
+<https://peps.python.org/pep-0440/>`_

news/12119.bugfix.rst

+Pass the ``-r`` flag to mercurial to be explicit that a revision is passed and protect
+against ``hg`` options injection as part of VCS URLs. Users that do not have control on
+VCS URLs passed to pip are advised to upgrade.

news/4256.removal.rst

+``freeze`` no longer excludes the ``setuptools``, ``distribute``, and ``wheel``
+from the output when running on Python 3.12 or later, where they are not
+included in a virtual environment by default. Use ``--exclude`` if you wish to
+exclude any of these packages.

src/pip/_internal/commands/check.py

@@ -7,6 +7,7 @@ from pip._internal.cli.status_codes import ERROR, SUCCESS
 from pip._internal.operations.check import (
     check_package_set,
     create_package_set_from_installed,
+    warn_legacy_versions_and_specifiers,
 )
 from pip._internal.utils.misc import write_output
 
@@ -21,6 +22,7 @@ class CheckCommand(Command):
 
     def run(self, options: Values, args: List[str]) -> int:
         package_set, parsing_probs = create_package_set_from_installed()
+        warn_legacy_versions_and_specifiers(package_set)
         missing, conflicting = check_package_set(package_set)
 
         for project_name in missing:

src/pip/_internal/commands/download.py

@@ -130,6 +130,7 @@ class DownloadCommand(RequirementCommand):
         self.trace_basic_info(finder)
 
         requirement_set = resolver.resolve(reqs, check_supported_wheels=True)
+        requirement_set.warn_legacy_versions_and_specifiers()
 
         downloaded: List[str] = []
         for req in requirement_set.requirements.values():

src/pip/_internal/commands/freeze.py

 import sys
 from optparse import Values
-from typing import List
+from typing import AbstractSet, List
 
 from pip._internal.cli import cmdoptions
 from pip._internal.cli.base_command import Command
@@ -8,7 +8,18 @@ from pip._internal.cli.status_codes import SUCCESS
 from pip._internal.operations.freeze import freeze
 from pip._internal.utils.compat import stdlib_pkgs
 
-DEV_PKGS = {"pip", "setuptools", "distribute", "wheel"}
+
+def _should_suppress_build_backends() -> bool:
+    return sys.version_info < (3, 12)
+
+
+def _dev_pkgs() -> AbstractSet[str]:
+    pkgs = {"pip"}
+
+    if _should_suppress_build_backends():
+        pkgs |= {"setuptools", "distribute", "wheel"}
+
+    return pkgs
 
 
 class FreezeCommand(Command):
@@ -61,7 +72,7 @@ class FreezeCommand(Command):
             action="store_true",
             help=(
                 "Do not skip these packages in the output:"
-                " {}".format(", ".join(DEV_PKGS))
+                " {}".format(", ".join(_dev_pkgs()))
             ),
         )
         self.cmd_opts.add_option(
@@ -77,7 +88,7 @@ class FreezeCommand(Command):
     def run(self, options: Values, args: List[str]) -> int:
         skip = set(stdlib_pkgs)
         if not options.freeze_all:
-            skip.update(DEV_PKGS)
+            skip.update(_dev_pkgs())
 
         if options.excludes:
             skip.update(options.excludes)

src/pip/_internal/commands/install.py

@@ -387,6 +387,9 @@ class InstallCommand(RequirementCommand):
                         json.dump(report.to_dict(), f, indent=2, ensure_ascii=False)
 
             if options.dry_run:
+                # In non dry-run mode, the legacy versions and specifiers check
+                # will be done as part of conflict detection.
+                requirement_set.warn_legacy_versions_and_specifiers()
                 would_install_items = sorted(
                     (r.metadata["name"], r.metadata["version"])
                     for r in requirement_set.requirements_to_install

src/pip/_internal/commands/wheel.py

@@ -145,6 +145,7 @@ class WheelCommand(RequirementCommand):
         self.trace_basic_info(finder)
 
         requirement_set = resolver.resolve(reqs, check_supported_wheels=True)
+        requirement_set.warn_legacy_versions_and_specifiers()
 
         reqs_to_build: List[InstallRequirement] = []
         for req in requirement_set.requirements.values():

src/pip/_internal/operations/check.py

@@ -5,12 +5,15 @@ import logging
 from typing import Callable, Dict, List, NamedTuple, Optional, Set, Tuple
 
 from pip._vendor.packaging.requirements import Requirement
+from pip._vendor.packaging.specifiers import LegacySpecifier
 from pip._vendor.packaging.utils import NormalizedName, canonicalize_name
+from pip._vendor.packaging.version import LegacyVersion
 
 from pip._internal.distributions import make_distribution_for_install_requirement
 from pip._internal.metadata import get_default_environment
 from pip._internal.metadata.base import DistributionVersion
 from pip._internal.req.req_install import InstallRequirement
+from pip._internal.utils.deprecation import deprecated
 
 logger = logging.getLogger(__name__)
 
@@ -57,6 +60,8 @@ def check_package_set(
     package name and returns a boolean.
     """
 
+    warn_legacy_versions_and_specifiers(package_set)
+
     missing = {}
     conflicting = {}
 
@@ -147,3 +152,36 @@ def _create_whitelist(
                 break
 
     return packages_affected
+
+
+def warn_legacy_versions_and_specifiers(package_set: PackageSet) -> None:
+    for project_name, package_details in package_set.items():
+        if isinstance(package_details.version, LegacyVersion):
+            deprecated(
+                reason=(
+                    f"{project_name} {package_details.version} "
+                    f"has a non-standard version number."
+                ),
+                replacement=(
+                    f"to upgrade to a newer version of {project_name} "
+                    f"or contact the author to suggest that they "
+                    f"release a version with a conforming version number"
+                ),
+                issue=12063,
+                gone_in="23.3",
+            )
+        for dep in package_details.dependencies:
+            if any(isinstance(spec, LegacySpecifier) for spec in dep.specifier):
+                deprecated(
+                    reason=(
+                        f"{project_name} {package_details.version} "
+                        f"has a non-standard dependency specifier {dep}."
+                    ),
+                    replacement=(
+                        f"to upgrade to a newer version of {project_name} "
+                        f"or contact the author to suggest that they "
+                        f"release a version with a conforming dependency specifiers"
+                    ),
+                    issue=12063,
+                    gone_in="23.3",
+                )

src/pip/_internal/operations/prepare.py

@@ -471,6 +471,19 @@ class RequirementPreparer:
             logger.debug("Downloading link %s to %s", link, filepath)
             req = links_to_fully_download[link]
             req.local_file_path = filepath
+            # TODO: This needs fixing for sdists
+            # This is an emergency fix for #11847, which reports that
+            # distributions get downloaded twice when metadata is loaded
+            # from a PEP 658 standalone metadata file. Setting _downloaded
+            # fixes this for wheels, but breaks the sdist case (tests
+            # test_download_metadata). As PyPI is currently only serving
+            # metadata for wheels, this is not an immediate issue.
+            # Fixing the problem properly looks like it will require a
+            # complete refactoring of the `prepare_linked_requirements_more`
+            # logic, and I haven't a clue where to start on that, so for now
+            # I have fixed the issue *just* for wheels.
+            if req.is_wheel:
+                self._downloaded[req.link.url] = filepath
 
         # This step is necessary to ensure all lazy wheels are processed
         # successfully by the 'download', 'wheel', and 'install' commands.

src/pip/_internal/req/req_set.py

@@ -2,9 +2,12 @@ import logging
 from collections import OrderedDict
 from typing import Dict, List
 
+from pip._vendor.packaging.specifiers import LegacySpecifier
 from pip._vendor.packaging.utils import canonicalize_name
+from pip._vendor.packaging.version import LegacyVersion
 
 from pip._internal.req.req_install import InstallRequirement
+from pip._internal.utils.deprecation import deprecated
 
 logger = logging.getLogger(__name__)
 
@@ -80,3 +83,37 @@ class RequirementSet:
             for install_req in self.all_requirements
             if not install_req.constraint and not install_req.satisfied_by
         ]
+
+    def warn_legacy_versions_and_specifiers(self) -> None:
+        for req in self.requirements_to_install:
+            version = req.get_dist().version
+            if isinstance(version, LegacyVersion):
+                deprecated(
+                    reason=(
+                        f"pip has selected the non standard version {version} "
+                        f"of {req}. In the future this version will be "
+                        f"ignored as it isn't standard compliant."
+                    ),
+                    replacement=(
+                        "set or update constraints to select another version "
+                        "or contact the package author to fix the version number"
+                    ),
+                    issue=12063,
+                    gone_in="23.3",
+                )
+            for dep in req.get_dist().iter_dependencies():
+                if any(isinstance(spec, LegacySpecifier) for spec in dep.specifier):
+                    deprecated(
+                        reason=(
+                            f"pip has selected {req} {version} which has non "
+                            f"standard dependency specifier {dep}. "
+                            f"In the future this version of {req} will be "
+                            f"ignored as it isn't standard compliant."
+                        ),
+                        replacement=(
+                            "set or update constraints to select another version "
+                            "or contact the package author to fix the version number"
+                        ),
+                        issue=12063,
+                        gone_in="23.3",
+                    )

src/pip/_internal/utils/glibc.py

-# The following comment should be removed at some point in the future.
-# mypy: strict-optional=False
-
 import os
 import sys
 from typing import Optional, Tuple
@@ -20,8 +17,11 @@ def glibc_version_string_confstr() -> Optional[str]:
     if sys.platform == "win32":
         return None
     try:
+        gnu_libc_version = os.confstr("CS_GNU_LIBC_VERSION")
+        if gnu_libc_version is None:
+            return None
         # os.confstr("CS_GNU_LIBC_VERSION") returns a string like "glibc 2.17":
-        _, version = os.confstr("CS_GNU_LIBC_VERSION").split()
+        _, version = gnu_libc_version.split()
     except (AttributeError, OSError, ValueError):
         # os.confstr() or CS_GNU_LIBC_VERSION not available (or a bad value)...
         return None

src/pip/_internal/vcs/mercurial.py

@@ -31,7 +31,7 @@ class Mercurial(VersionControl):
 
     @staticmethod
     def get_base_rev_args(rev: str) -> List[str]:
-        return [rev]
+        return ["-r", rev]
 
     def fetch_new(
         self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int

tests/functional/test_freeze.py

@@ -88,11 +88,49 @@ def test_basic_freeze(script: PipTestEnvironment) -> None:
 
 
 def test_freeze_with_pip(script: PipTestEnvironment) -> None:
-    """Test pip shows itself"""
+    """Test that pip shows itself only when --all is used"""
+    result = script.pip("freeze")
+    assert "pip==" not in result.stdout
     result = script.pip("freeze", "--all")
     assert "pip==" in result.stdout
 
 
+def test_freeze_with_setuptools(script: PipTestEnvironment) -> None:
+    """
+    Test that pip shows setuptools only when --all is used
+    or _should_suppress_build_backends() returns false
+    """
+
+    result = script.pip("freeze", "--all")
+    assert "setuptools==" in result.stdout
+
+    (script.site_packages_path / "mock.pth").write_text("import mock\n")
+
+    (script.site_packages_path / "mock.py").write_text(
+        textwrap.dedent(
+            """\
+                import pip._internal.commands.freeze as freeze
+                freeze._should_suppress_build_backends = lambda: False
+            """
+        )
+    )
+
+    result = script.pip("freeze")
+    assert "setuptools==" in result.stdout
+
+    (script.site_packages_path / "mock.py").write_text(
+        textwrap.dedent(
+            """\
+                import pip._internal.commands.freeze as freeze
+                freeze._should_suppress_build_backends = lambda: True
+            """
+        )
+    )
+
+    result = script.pip("freeze")
+    assert "setuptools==" not in result.stdout
+
+
 def test_exclude_and_normalization(script: PipTestEnvironment, tmpdir: Path) -> None:
     req_path = wheel.make_wheel(name="Normalizable_Name", version="1.0").save_to_dir(
         tmpdir

tests/unit/test_vcs.py

@@ -66,7 +66,7 @@ def test_rev_options_repr() -> None:
         # First check VCS-specific RevOptions behavior.
         (Bazaar, [], ["-r", "123"], {}),
         (Git, ["HEAD"], ["123"], {}),
-        (Mercurial, [], ["123"], {}),
+        (Mercurial, [], ["-r", "123"], {}),
         (Subversion, [], ["-r", "123"], {}),
         # Test extra_args.  For this, test using a single VersionControl class.
         (