Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implied "--require-hashes"? #3305

Closed
helderco opened this issue Apr 29, 2024 · 6 comments · Fixed by #4007
Closed

Implied "--require-hashes"? #3305

helderco opened this issue Apr 29, 2024 · 6 comments · Fixed by #4007
Assignees
@charliermarsh
Labels
compatibility Compatibility with a specification or another tool

Comments

@helderco
Copy link

It's great to have the new --require-hashes option, but can it be implied if installing from a requirements file with hashes?

It's what pip does:

--require-hashes Require a hash to check each requirement against, for repeatable installs. This option is implied when any package in a requirements file has a --hash option.

The reason I need this is because I need to make a container image that installs dependencies from a requirements file, but I don't know if that file will have hashes or not.
@zanieb zanieb added the compatibility Compatibility with a specification or another tool label Apr 29, 2024
@zanieb
Copy link
Member

zanieb commented Apr 29, 2024

Seems reasonable!

@charliermarsh
Copy link
Member

Somewhat interested in finding other designs here, I’m generally not a fan of implied settings.

@helderco
Copy link
Author

pip install checks hashes by default if a requirements file contains hashes. You could disable it with --no-require-hashes.

Or introduce an explicit --verify-hashes that checks them if they exist, but otherwise doesn't "require" them.

@helderco
Copy link
Author

helderco commented May 29, 2024
edited
Loading

Hey! 👋 Any update on this? In Dagger, hashes are only checked if uv is disabled explicitly. 😅

@charliermarsh charliermarsh self-assigned this Jun 4, 2024
@charliermarsh charliermarsh mentioned this issue Jun 4, 2024
Merged
@charliermarsh
Copy link
Member

I added it in #4007.

@hauntsaninja
Copy link
Contributor

hauntsaninja commented Jun 25, 2024
edited
Loading

I think it's important for the defaults to be secure. Maybe uv could have the proposed --verify-hashes behaviour on by default? ("I have a hash but I expect it to not be checked" seems pretty niche)

@hauntsaninja hauntsaninja mentioned this issue Nov 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@charliermarsh charliermarsh

Labels
compatibility Compatibility with a specification or another tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implement a --verify-hashes hash-checking mode astral-sh/uv
4 participants
@helderco @charliermarsh @zanieb @hauntsaninja