PEP 710: elaborate on storing at least one hash
Signed-off-by: Fridolin Pokorny <fridolin.pokorny@gmail.com>
This commit is contained in:
parent
c09a325bf8
commit
f396d89158
|
@ -437,6 +437,18 @@ contain any entries. In such cases, pip does not create any
|
|||
is encouraged for consumers to rebuild wheels with a newer version of pip in
|
||||
these cases.
|
||||
|
||||
uv developers `raised a concern about requiring at least one hash
|
||||
<https://discuss.python.org/t/25428/34>`__ in the ``provenance_url.json`` file
|
||||
as uv does not calculate distribution hashes unless explicitly required.
|
||||
However, requiring at least one hash aids in integrity checks for
|
||||
distributions. This is important in scenarios involving lock files or when
|
||||
identifying distributions as part of SBOMs. The ``provenance_url.json`` file
|
||||
mandates the inclusion of at least one hash for the downloaded distribution.
|
||||
Installers that do not compute hashes of distributions as part of the
|
||||
installation process (e.g., due to performance reasons) can omit creating the
|
||||
``provenance_url.json`` file. However, the limitations affecting the
|
||||
auditability of Python environments should be taken into account.
|
||||
|
||||
Making the hashes key optional
|
||||
------------------------------
|
||||
|
||||
|
@ -646,10 +658,10 @@ which this idea originated.
|
|||
Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback
|
||||
and support to work on this PEP.
|
||||
|
||||
Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for
|
||||
reviewing this PEP and providing valuable suggestions.
|
||||
Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner
|
||||
for reviewing this PEP and providing valuable suggestions.
|
||||
|
||||
Thanks to Seth Michael Larson for providing valuable suggestions and for
|
||||
Thanks to Seth Michael Larson for support, providing valuable suggestions and for
|
||||
the proposed pip-sbom prototype.
|
||||
|
||||
Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.
|
||||
|
@ -657,6 +669,8 @@ Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.
|
|||
Thanks to Frost Ming for raising possible concern around storing index URL in
|
||||
the ``provenance_url.json`` file.
|
||||
|
||||
Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer.
|
||||
|
||||
Last, but not least, thanks to Donald Stufft for sponsoring this PEP.
|
||||
|
||||
Copyright
|
||||
|
|
Loading…
Reference in New Issue