Skip to content

Commit b6b8dcb

Browse files
fridexfridex
committed
PEP 710: elaborate on storing at least one hash
Signed-off-by: Fridolin Pokorny <fridolin.pokorny@gmail.com>
1 parent c09a325 commit b6b8dcb

File tree

1 file changed

+16
-3
lines changed

1 file changed

+16
-3
lines changed

peps/pep-0710.rst

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -437,6 +437,17 @@ contain any entries. In such cases, pip does not create any
437437
is encouraged for consumers to rebuild wheels with a newer version of pip in
438438
these cases.
439439

440+
uv developers raised a concern about requiring at least one hash in the
441+
``provenance_url.json`` file since uv does not calculate distribution hashes
442+
unless explicitly required. However, as requiring at least one hash aids in
443+
integrity checks for distributions in scenarios involving lock files or when
444+
identifying distributions as part of SBOMs, the ``provenance_url.json`` file
445+
mandates the inclusion of at least one hash for the downloaded distribution.
446+
Installers that do not compute hashes of distributions as part of the
447+
installation process (e.g., due to performance reasons) can omit creating the
448+
``provenance_url.json`` file, keeping the mentioned limitations for the
449+
auditability of Python environments in mind.
450+
440451
Making the hashes key optional
441452
------------------------------
442453

@@ -646,17 +657,19 @@ which this idea originated.
646657
Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback
647658
and support to work on this PEP.
648659

649-
Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for
650-
reviewing this PEP and providing valuable suggestions.
660+
Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner
661+
for reviewing this PEP and providing valuable suggestions.
651662

652-
Thanks to Seth Michael Larson for providing valuable suggestions and for
663+
Thanks to Seth Michael Larson for support, providing valuable suggestions and for
653664
the proposed pip-sbom prototype.
654665

655666
Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.
656667

657668
Thanks to Frost Ming for raising possible concern around storing index URL in
658669
the ``provenance_url.json`` file.
659670

671+
Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer.
672+
660673
Last, but not least, thanks to Donald Stufft for sponsoring this PEP.
661674

662675
Copyright

0 commit comments

Comments
 (0)