explain why we don't validate hexdigests now

pypa · May 12, 2022 · 69e28eb · 69e28eb
1 parent bd94548
commit 69e28eb
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/pip/_internal/models/link.py b/src/pip/_internal/models/link.py
@@ -47,6 +47,11 @@ class LinkHash:
     value: str
 
     _hash_re = re.compile(
+        # NB: we do not validate that the second group (.*) is a valid hex
+        # digest. Instead, we simply keep that string in this class, and then check it
+        # against Hashes when hash-checking is needed. This is easier to debug than
+        # proactively discarding an invalid hex digest, as we handle incorrect hashes
+        # and malformed hashes in the same place.
         r"({choices})=(.*)".format(
             choices="|".join(re.escape(hash_name) for hash_name in _SUPPORTED_HASHES)
         ),