Description
This is a copy of what I wrote in #1066 (comment), since it's off-topic there, in reference to the current source distribution filename format guidelines (link):
The file name of a sdist is not currently standardised, although the de facto form is {name}-{version}.tar.gz, where {name} is the canonicalized form of the project name (see PEP 503 for the canonicalization rules) with - characters replaced with _, and {version} is the canonicalized form of the project version (see Version specifiers).
Does PyPI or any other PEP 503-compliant host currently do the - to _ normalization? The standard here suggests that foo-bar==1.2.3 should be normalized to foo_bar-1.2.3.tar.gz, but here's how PyPI's simple index supplies pip-audit's source distributions (link):
pip-audit-2.1.0.tar.gz
pip-audit-2.1.1.tar.gz
pip-audit-2.2.0.tar.gz
pip-audit-2.2.1.tar.gz
(The current behavior is clearly working since pip has a workaround for the "vexing parse" case in pypa/packaging#527, but I wonder if it makes sense to amend this documentation again to emphasize that the normalization suggested currently isn't practiced.)