pass thru --uploaded-prior-to on Pip v26.0

[cburroughs]

Pip 26.0 adds support for --uploaded-prior-to for filtering packages by their upload time to an index. See
https://pip.pypa.io/en/stable/user_guide/#filtering-by-upload-time for details.

This change passes through --uploaded-prior-to on recent enough Pip versions, and emits a warning on older ones.

NOTE: When Pip is building an sdist, this setting also applies to build dependencies and it is thus easy when using far-in-the-past values to end up in a tangle of incompatible Python/setuptools versions. This is out of Pex's control, but might be the first thing you hit if you are like me and reach for old cowsay versions right away.

closes #3128

[jsirois]

Thanks @cburroughs! I expect you'll get test failures. You should be able to ./duvrc.sh test-py27-integration ... to test older versions assuming you have docker installed. If you happen to have old pythons installed, then just uv run dev-cmd test-py27-integration ... will do it of course. This is how I generally attack 1st, but I have all the old interpreter versions installed locally.

Please also bump pex/version.py to 2.92.0 and add a CHANGES.md entry. I'll release this as soon as it's green.

[jsirois]

I assume this will fail on the py27 and py38 shards. I'd think you'd need a @pytest.mark.skipif and an appropriate condition guarding this test and the test below.

[jsirois]

Aha, even fails on new Pythons:

 pip: ERROR: Index http://127.0.0.1:49291/root/pypi/+simple/cowsay/ does not provide upload-time metadata.

N.B.: I use --devpi for tests by default for less flake / better netizen. You can bypass this in a test with one of these approaches:

• pex/tests/integration/test_keyring_support.py

  Lines 171 to 181 in 093dc1b

  	@pytest.fixture
  	def devpi_clean_env():
  	# type: () -> Mapping[str, Any]
  	# These will be set when tests are run with --devpi, and we want to unset them to
  	# ensure our Pex command line config above is what is used.
  	return dict(
  	_PEX_USE_PIP_CONFIG=None,
  	PIP_INDEX_URL=None,
  	PIP_TRUSTED_HOST=None,
  	)

• pex/tests/integration/test_discussion_2979.py

  Lines 310 to 313 in cc11c8e

  	# This test has problems completing its resolve just using --devpi, so we ensure PyPI is
  	# also used.
  	"--use-pip-config",
  	env=make_env(PIP_EXTRA_INDEX_URL=PYPI),

And the devpi support is an open issue: devpi/devpi#1061

[jsirois]

Why? I'm not seeing how this tests your Pex integration. It seems to test Pip.

[jsirois]

This is fine, but I view unit tests as useless in the best case, and detrimental to refactors in the worst when you have an IT that covers like you do.

[jsirois]

@cburroughs does the hard error on Pip's part when --uploaded-prior-to metadata is not available from the index suggest your warning should be an error as well? I meant to note this earlier in the review, but the Pip error prompts me to re-consider this. Can you think of a good + real reason to not hard error?. Hard errors are nice because you can relax them later and not break anyone. The reverse is not true, and I'm bound by Pex ethics to never break anyone.