Skip to content

Commit 1b7f62d

Browse files
fridexfridex
committed
PEP 710: elaborate on storing at least one hash
Signed-off-by: Fridolin Pokorny <fridolin.pokorny@gmail.com>
1 parent 83ccbaa commit 1b7f62d

File tree

1 file changed

+16
-3
lines changed

1 file changed

+16
-3
lines changed

peps/pep-0710.rst

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -446,6 +446,17 @@ contain any entries. In such cases, pip does not create any
446446
is encouraged for consumers to rebuild wheels with a newer version of pip in
447447
these cases.
448448

449+
uv developers `raised a concern about requiring at least one hash
450+
<https://discuss.python.org/t/25428/34>`__ in the ``provenance_url.json`` file
451+
as uv does not calculate distribution hashes unless explicitly required.
452+
However, requiring at least one hash aids in integrity checks for
453+
distributions. This is important in scenarios involving lock files or when
454+
identifying distributions as part of SBOMs. The ``provenance_url.json`` file
455+
mandates the inclusion of at least one hash for the downloaded distribution.
456+
Installers that do not compute hashes of distributions as part of the
457+
installation process (e.g., due to performance reasons) can omit creating the
458+
``provenance_url.json`` file.
459+
449460
Making the hashes key optional
450461
------------------------------
451462

@@ -670,10 +681,10 @@ which this idea originated.
670681
Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback
671682
and support to work on this PEP.
672683

673-
Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for
674-
reviewing this PEP and providing valuable suggestions.
684+
Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner
685+
for reviewing this PEP and providing valuable suggestions.
675686

676-
Thanks to Seth Michael Larson for providing valuable suggestions and for
687+
Thanks to Seth Michael Larson for support, providing valuable suggestions and for
677688
the proposed pip-sbom prototype.
678689

679690
Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`, and related
@@ -684,6 +695,8 @@ Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`, and related
684695
Thanks to Frost Ming for raising possible concern around storing index URL in
685696
the ``provenance_url.json`` file and initial PEP 710 support in PDM.
686697

698+
Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer.
699+
687700
Last, but not least, thanks to Donald Stufft for sponsoring this PEP.
688701

689702
Copyright

0 commit comments

Comments
 (0)