PEP 710: elaborate on storing at least one hash

Signed-off-by: Fridolin Pokorny <fridolin.pokorny@gmail.com>
This commit is contained in:
Fridolin Pokorny 2024-08-01 08:11:21 +02:00
parent c09a325bf8
commit f396d89158
1 changed files with 17 additions and 3 deletions

View File

@ -437,6 +437,18 @@ contain any entries. In such cases, pip does not create any
is encouraged for consumers to rebuild wheels with a newer version of pip in
these cases.
uv developers `raised a concern about requiring at least one hash
<https://discuss.python.org/t/25428/34>`__ in the ``provenance_url.json`` file
as uv does not calculate distribution hashes unless explicitly required.
However, requiring at least one hash aids in integrity checks for
distributions. This is important in scenarios involving lock files or when
identifying distributions as part of SBOMs. The ``provenance_url.json`` file
mandates the inclusion of at least one hash for the downloaded distribution.
Installers that do not compute hashes of distributions as part of the
installation process (e.g., due to performance reasons) can omit creating the
``provenance_url.json`` file. However, the limitations affecting the
auditability of Python environments should be taken into account.
Making the hashes key optional
------------------------------
@ -646,10 +658,10 @@ which this idea originated.
Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback
and support to work on this PEP.
Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for
reviewing this PEP and providing valuable suggestions.
Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner
for reviewing this PEP and providing valuable suggestions.
Thanks to Seth Michael Larson for providing valuable suggestions and for
Thanks to Seth Michael Larson for support, providing valuable suggestions and for
the proposed pip-sbom prototype.
Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.
@ -657,6 +669,8 @@ Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.
Thanks to Frost Ming for raising possible concern around storing index URL in
the ``provenance_url.json`` file.
Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer.
Last, but not least, thanks to Donald Stufft for sponsoring this PEP.
Copyright