Skip to content

Commit f396d89

Browse files
fridexfridex
committed
PEP 710: elaborate on storing at least one hash
Signed-off-by: Fridolin Pokorny <[email protected]>
1 parent c09a325 commit f396d89

File tree

1 file changed

+17
-3
lines changed

1 file changed

+17
-3
lines changed

peps/pep-0710.rst

+17-3
Original file line numberDiff line numberDiff line change
@@ -437,6 +437,18 @@ contain any entries. In such cases, pip does not create any
437437
is encouraged for consumers to rebuild wheels with a newer version of pip in
438438
these cases.
439439

440+
uv developers `raised a concern about requiring at least one hash
441+
<https://discuss.python.org/t/25428/34>`__ in the ``provenance_url.json`` file
442+
as uv does not calculate distribution hashes unless explicitly required.
443+
However, requiring at least one hash aids in integrity checks for
444+
distributions. This is important in scenarios involving lock files or when
445+
identifying distributions as part of SBOMs. The ``provenance_url.json`` file
446+
mandates the inclusion of at least one hash for the downloaded distribution.
447+
Installers that do not compute hashes of distributions as part of the
448+
installation process (e.g., due to performance reasons) can omit creating the
449+
``provenance_url.json`` file. However, the limitations affecting the
450+
auditability of Python environments should be taken into account.
451+
440452
Making the hashes key optional
441453
------------------------------
442454

@@ -646,17 +658,19 @@ which this idea originated.
646658
Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback
647659
and support to work on this PEP.
648660

649-
Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for
650-
reviewing this PEP and providing valuable suggestions.
661+
Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner
662+
for reviewing this PEP and providing valuable suggestions.
651663

652-
Thanks to Seth Michael Larson for providing valuable suggestions and for
664+
Thanks to Seth Michael Larson for support, providing valuable suggestions and for
653665
the proposed pip-sbom prototype.
654666

655667
Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.
656668

657669
Thanks to Frost Ming for raising possible concern around storing index URL in
658670
the ``provenance_url.json`` file.
659671

672+
Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer.
673+
660674
Last, but not least, thanks to Donald Stufft for sponsoring this PEP.
661675

662676
Copyright

0 commit comments

Comments
 (0)