Skip to content

Commit 0acda96

Browse files
fridexsethmlarson
fridex
and
sethmlarson
authored
PEP 710: Require at leat one hash to be stated (#3879)
Signed-off-by: Fridolin Pokorny <[email protected]> Co-authored-by: Seth Michael Larson <[email protected]>
1 parent 07fc184 commit 0acda96

File tree

1 file changed

+28
-5
lines changed

1 file changed

+28
-5
lines changed

peps/pep-0710.rst

Lines changed: 28 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -146,11 +146,11 @@ used to download the given distribution package, such as
146146
compliant with :pep:`503`.
147147

148148
The value of ``archive_info`` MUST be a dictionary with a single key
149-
``hashes``. The value of ``hashes`` is a dictionary mapping hash function names to a
150-
hex-encoded digest of the file referenced by the ``url`` value. Multiple hashes
151-
can be included, and it is up to the consumer to decide what to do with
152-
multiple hashes (it may validate all of them or a subset of them, or nothing at
153-
all).
149+
``hashes``. The value of ``hashes`` is a dictionary mapping hash function
150+
names to a hex-encoded digest of the file referenced by the ``url`` value. At
151+
least one hash MUST be recorded. Multiple hashes MAY be included, and it is up
152+
to the consumer to decide what to do with multiple hashes (it may validate all
153+
of them or a subset of them, or nothing at all).
154154

155155
Each hash MUST be one of the single argument hashes provided by
156156
:data:`py3.11:hashlib.algorithms_guaranteed`, excluding ``sha1`` and ``md5`` which MUST NOT be used.
@@ -341,6 +341,17 @@ in the Python docs under :attr:`py3.11:hashlib.hash.name`.
341341
"url": "https://files.pythonhosted.org/packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl"
342342
}
343343
344+
The last example demonstrates a ``provenance_url.json`` file with no hashes
345+
available for the downloaded artifact:
346+
347+
.. code-block:: json
348+
349+
{
350+
"archive_info": {
351+
"hashes": {}
352+
}
353+
"url": "https://files.pythonhosted.org/packages/07/51/2c0959c5adf988c44d9e1e0d940f5b074516ecc87e96b1af25f59de9ba38/pip-23.0.1-py3-none-any.whl"
354+
}
344355
345356
Example pip commands and their effect on provenance_url.json and direct_url.json
346357
--------------------------------------------------------------------------------
@@ -424,6 +435,18 @@ By doing so we eliminate possible redundancy in the file, possible confusion,
424435
and any additional checks that would need to be done to make sure the hashes are in
425436
sync.
426437

438+
Allowing no hashes stated
439+
-------------------------
440+
441+
For cases when a wheel file is installed from pip's cache and built using an
442+
older version of pip, pip does not record hashes of the downloaded source
443+
distributions. As we do not have hashes of these downloaded source
444+
distributions, the ``hashes`` key in the ``provenance_url.json`` file would not
445+
contain any entries. In such cases, pip does not create any
446+
``provenance_url.json`` file as the provenance information is not complete. It
447+
is encouraged for consumers to rebuild wheels with a newer version of pip in
448+
these cases.
449+
427450
Making the hashes key optional
428451
------------------------------
429452

0 commit comments

Comments
 (0)