Provide hash in the link for local packages

[Ivoz]

pip 1.5 and greater would like secure links by default, which by implementation means the link provides a hash of the package in the url. This provides some form of verification of correct file download at least.

You can see some of the api docs at warehouse how this is done.

It would be great for pypiserver's links to provide this for pip; I believe this would mean you no longer have to pass --allow-insecure.

[schmir]

Thanks for your bug report and sorry for the late answer.

pypiserver doesn't have a good way to "remember" those package checksums since it doesn't use a database and doesn't store anything in the filesystem.

Please have a look at devpi. I assume it does provide package checksums.

[ror6ax]

Since check-sums are a upcoming standard for pip, I suggest we use redis as a storage for the hashes. It's fast and light.

[schmir]

I would vote for a sqlite based solution. redis as a dependency makes it much harder to install (especially on windows). @ror6ax: but it's your choice now, you should be able push to pypiserver now.

[ror6ax]

I will test the ability to use redis on windows, last time I was doing it - it was pretty straightforward.

[ankostis]

I may have gotten this wrong, but why is a DB needed for pip's secure-links?
Isn't it enough for pypiserver to check that the requested hash matches the hosted or fail-through package's hash?

[ror6ax]

Well, remaking hash every time it's requested is a bit overhead, right?
I'll finish this in nearest future.

[ankostis]

My feeling is that current CPUs have more than enough juice for such numerical tasks.
Of course this may not apply for embedded ones.

[ankostis]

Note that the hashes contained on the link-fragments served by PyPI are NOT used by pip: https://pip.pypa.io/en/latest/reference/pip_install/#hashes-from-pypi

[Ivoz]

👍 nice work ankostis