Skip to content

Commit

Permalink
PEP 710: elaborate on storing at least one hash
Browse files Browse the repository at this point in the history 
Signed-off-by: Fridolin Pokorny <[email protected]>
  • Loading branch information
@fridex
fridex committed Aug 2, 2024
1 parent c09a325 commit 6cb768f
Showing 1 changed file with 17 additions and 3 deletions.
20 changes: 17 additions & 3 deletions peps/pep-0710.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,18 @@ contain any entries. In such cases, pip does not create any
is encouraged for consumers to rebuild wheels with a newer version of pip in
these cases.

uv developers raised a concern about requiring at least one hash in the
``provenance_url.json`` file as uv does not calculate distribution hashes
unless explicitly required. However, requiring at least one hash aids in
integrity checks for distributions. This is important in scenarios involving
lock files or when identifying distributions as part of SBOMs. The
``provenance_url.json`` file mandates the inclusion of at least one hash for
the downloaded distribution. Installers that do not compute hashes of
distributions as part of the installation process (e.g., due to performance
reasons) can omit creating the ``provenance_url.json`` file. However, the
limitations affecting the auditability of Python environments should be taken
into account.

Making the hashes key optional
------------------------------

Expand Down Expand Up @@ -646,17 +658,19 @@ which this idea originated.
Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback
and support to work on this PEP.

Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for
reviewing this PEP and providing valuable suggestions.
Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner
for reviewing this PEP and providing valuable suggestions.

Thanks to Seth Michael Larson for providing valuable suggestions and for
Thanks to Seth Michael Larson for support, providing valuable suggestions and for
the proposed pip-sbom prototype.

Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.

Thanks to Frost Ming for raising possible concern around storing index URL in
the ``provenance_url.json`` file.

Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer.

Last, but not least, thanks to Donald Stufft for sponsoring this PEP.

Copyright
Expand Down

0 comments on commit 6cb768f

Please sign in to comment.