Skip to content

feat: validate hashes from direct urls and enable hashstrategy from uv #3868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open

feat: validate hashes from direct urls and enable hashstrategy from uv #3868

wants to merge 20 commits into from

Conversation

zelosleone
Copy link
Contributor

this is definitely a draft for now. it still needs some more work and more testing

@zelosleone zelosleone marked this pull request as ready for review June 5, 2025 14:46
@zelosleone
Copy link
Contributor Author

Also now that we are getting the hashes from url with correct parsing and segments, we dont need this PR anymore #3696 that's also why i removed the code of url normalization of that pr

baszalmstra
baszalmstra requested changes Jun 10, 2025
View reviewed changes
Copy link
Contributor

@baszalmstra baszalmstra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work!

I think we should immediately make this configurable. We also have a "fast" verification path for rattler which we could also enable/disable.

For direct urls it looks like this will download the packages twice? Once to verify and once to install. Even if the package is cached?

@zelosleone
Copy link
Contributor Author

Nice work!

I think we should immediately make this configurable. We also have a "fast" verification path for rattler which we could also enable/disable.

For direct urls it looks like this will download the packages twice? Once to verify and once to install. Even if the package is cached?

That's one of the problems with current uv's verification actually, say we have it in cache, and we put the wrong hash, it still allows the wrong hash to pass as if its the correct hash. (even though it installs from the cache) I don't think that's good in general but i am open to your suggestion definitely, i simply thought this could be misused or/and misguide users as if some kind of magic is done behind the scenes, so instead it doesn't trust UV and verifies the package by not depending on the cache.

@zelosleone zelosleone requested a review from baszalmstra June 16, 2025 10:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@baszalmstra baszalmstra Awaiting requested review from baszalmstra

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zelosleone @baszalmstra @ruben-arts