From 6cb768f6ecf3cd38c84726448813301f012a721e Mon Sep 17 00:00:00 2001 From: Fridolin Pokorny Date: Thu, 1 Aug 2024 08:11:21 +0200 Subject: [PATCH] PEP 710: elaborate on storing at least one hash Signed-off-by: Fridolin Pokorny --- peps/pep-0710.rst | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/peps/pep-0710.rst b/peps/pep-0710.rst index 5ed3ed41f2eb..d1f0d32051b3 100644 --- a/peps/pep-0710.rst +++ b/peps/pep-0710.rst @@ -437,6 +437,18 @@ contain any entries. In such cases, pip does not create any is encouraged for consumers to rebuild wheels with a newer version of pip in these cases. +uv developers raised a concern about requiring at least one hash in the +``provenance_url.json`` file as uv does not calculate distribution hashes +unless explicitly required. However, requiring at least one hash aids in +integrity checks for distributions. This is important in scenarios involving +lock files or when identifying distributions as part of SBOMs. The +``provenance_url.json`` file mandates the inclusion of at least one hash for +the downloaded distribution. Installers that do not compute hashes of +distributions as part of the installation process (e.g., due to performance +reasons) can omit creating the ``provenance_url.json`` file. However, the +limitations affecting the auditability of Python environments should be taken +into account. + Making the hashes key optional ------------------------------ @@ -646,10 +658,10 @@ which this idea originated. Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback and support to work on this PEP. -Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for -reviewing this PEP and providing valuable suggestions. +Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner +for reviewing this PEP and providing valuable suggestions. -Thanks to Seth Michael Larson for providing valuable suggestions and for +Thanks to Seth Michael Larson for support, providing valuable suggestions and for the proposed pip-sbom prototype. Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`. @@ -657,6 +669,8 @@ Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`. Thanks to Frost Ming for raising possible concern around storing index URL in the ``provenance_url.json`` file. +Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer. + Last, but not least, thanks to Donald Stufft for sponsoring this PEP. Copyright