-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide hash in the link for local packages #53
Comments
Thanks for your bug report and sorry for the late answer. pypiserver doesn't have a good way to "remember" those package checksums since it doesn't use a database and doesn't store anything in the filesystem. Please have a look at devpi. I assume it does provide package checksums. |
Since check-sums are a upcoming standard for pip, I suggest we use redis as a storage for the hashes. It's fast and light. |
I would vote for a sqlite based solution. redis as a dependency makes it much harder to install (especially on windows). @ror6ax: but it's your choice now, you should be able push to pypiserver now. |
I will test the ability to use redis on windows, last time I was doing it - it was pretty straightforward. |
I may have gotten this wrong, but why is a DB needed for pip's secure-links? |
Well, remaking hash every time it's requested is a bit overhead, right? |
My feeling is that current CPUs have more than enough juice for such numerical tasks. |
- TC only for digest-method.
Note that the hashes contained on the link-fragments served by PyPI are NOT used by |
👍 nice work ankostis |
pip 1.5 and greater would like secure links by default, which by implementation means the link provides a hash of the package in the url. This provides some form of verification of correct file download at least.
You can see some of the api docs at warehouse how this is done.
It would be great for pypiserver's links to provide this for pip; I believe this would mean you no longer have to pass
--allow-insecure
.The text was updated successfully, but these errors were encountered: