Skip to content

Commit

Permalink
PEP 710: elaborate on storing at least one hash
Browse files Browse the repository at this point in the history 
Signed-off-by: Fridolin Pokorny <[email protected]>
  • Loading branch information
@fridex
fridex committed Aug 1, 2024
1 parent c09a325 commit b6b8dcb
Showing 1 changed file with 16 additions and 3 deletions.
19 changes: 16 additions & 3 deletions peps/pep-0710.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,17 @@ contain any entries. In such cases, pip does not create any
is encouraged for consumers to rebuild wheels with a newer version of pip in
these cases.

uv developers raised a concern about requiring at least one hash in the
``provenance_url.json`` file since uv does not calculate distribution hashes
unless explicitly required. However, as requiring at least one hash aids in
integrity checks for distributions in scenarios involving lock files or when
identifying distributions as part of SBOMs, the ``provenance_url.json`` file
mandates the inclusion of at least one hash for the downloaded distribution.
Installers that do not compute hashes of distributions as part of the
installation process (e.g., due to performance reasons) can omit creating the
``provenance_url.json`` file, keeping the mentioned limitations for the
auditability of Python environments in mind.

Making the hashes key optional
------------------------------

Expand Down Expand Up @@ -646,17 +657,19 @@ which this idea originated.
Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback
and support to work on this PEP.

Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for
reviewing this PEP and providing valuable suggestions.
Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner
for reviewing this PEP and providing valuable suggestions.

Thanks to Seth Michael Larson for providing valuable suggestions and for
Thanks to Seth Michael Larson for support, providing valuable suggestions and for
the proposed pip-sbom prototype.

Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.

Thanks to Frost Ming for raising possible concern around storing index URL in
the ``provenance_url.json`` file.

Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer.

Last, but not least, thanks to Donald Stufft for sponsoring this PEP.

Copyright
Expand Down

0 comments on commit b6b8dcb

Please sign in to comment.