iSharkFly-Open
/
python-peps
mirror of https://github.com/python/peps.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PEP 710: elaborate on storing at least one hash 

Signed-off-by: Fridolin Pokorny <fridolin.pokorny@gmail.com>
This commit is contained in:
Fridolin Pokorny 2024-08-01 08:11:21 +02:00
parent c09a325bf8
commit f396d89158
1 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
peps/pep-0710.rst
View File

@ -437,6 +437,18 @@ contain any entries. In such cases, pip does not create any
is encouraged for consumers to rebuild wheels with a newer version of pip in is encouraged for consumers to rebuild wheels with a newer version of pip in
these cases. these cases.
uv developers `raised a concern about requiring at least one hash
<https://discuss.python.org/t/25428/34>`__ in the ``provenance_url.json`` file
as uv does not calculate distribution hashes unless explicitly required.
However, requiring at least one hash aids in integrity checks for
distributions. This is important in scenarios involving lock files or when
identifying distributions as part of SBOMs. The ``provenance_url.json`` file
mandates the inclusion of at least one hash for the downloaded distribution.
Installers that do not compute hashes of distributions as part of the
installation process (e.g., due to performance reasons) can omit creating the
``provenance_url.json`` file. However, the limitations affecting the
auditability of Python environments should be taken into account.
Making the hashes key optional Making the hashes key optional
------------------------------ ------------------------------
@ -646,10 +658,10 @@ which this idea originated.
Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback
and support to work on this PEP. and support to work on this PEP.
Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner
reviewing this PEP and providing valuable suggestions. for reviewing this PEP and providing valuable suggestions.
Thanks to Seth Michael Larson for providing valuable suggestions and for Thanks to Seth Michael Larson for support, providing valuable suggestions and for
the proposed pip-sbom prototype. the proposed pip-sbom prototype.
Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`. Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.
@ -657,6 +669,8 @@ Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.
Thanks to Frost Ming for raising possible concern around storing index URL in Thanks to Frost Ming for raising possible concern around storing index URL in
the ``provenance_url.json`` file. the ``provenance_url.json`` file.
Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer.
Last, but not least, thanks to Donald Stufft for sponsoring this PEP. Last, but not least, thanks to Donald Stufft for sponsoring this PEP.
Copyright Copyright