Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PEP 710: elaborate on storing at least one hash #3884

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

PEP 710: elaborate on storing at least one hash #3884

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 17 additions & 3 deletions peps/pep-0710.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,18 @@ contain any entries. In such cases, pip does not create any
is encouraged for consumers to rebuild wheels with a newer version of pip in
these cases.

uv developers `raised a concern about requiring at least one hash
<https://discuss.python.org/t/25428/34>`__ in the ``provenance_url.json`` file
as uv does not calculate distribution hashes unless explicitly required.
However, requiring at least one hash aids in integrity checks for
distributions. This is important in scenarios involving lock files or when
identifying distributions as part of SBOMs. The ``provenance_url.json`` file
mandates the inclusion of at least one hash for the downloaded distribution.
Installers that do not compute hashes of distributions as part of the
installation process (e.g., due to performance reasons) can omit creating the
``provenance_url.json`` file. However, the limitations affecting the
auditability of Python environments should be taken into account.
Comment on lines +449 to +450
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think either remove this sentence or expand upon it (what limitations?). If you do keep it, note that the sentence on Line 443 also starts with "However,", so this one could be rephrased.


Making the hashes key optional
------------------------------

Expand Down Expand Up @@ -646,17 +658,19 @@ which this idea originated.
Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback
and support to work on this PEP.

Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for
reviewing this PEP and providing valuable suggestions.
Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner
for reviewing this PEP and providing valuable suggestions.
Comment on lines +661 to +662
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Too kind!


Thanks to Seth Michael Larson for providing valuable suggestions and for
Thanks to Seth Michael Larson for support, providing valuable suggestions and for
the proposed pip-sbom prototype.

Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.

Thanks to Frost Ming for raising possible concern around storing index URL in
the ``provenance_url.json`` file.

Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer.

Last, but not least, thanks to Donald Stufft for sponsoring this PEP.

Copyright
Expand Down