Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Turn --verify-hashes on by default #9164

Closed
hauntsaninja opened this issue Nov 16, 2024 · 4 comments · Fixed by #9170
Closed

Turn --verify-hashes on by default #9164

hauntsaninja opened this issue Nov 16, 2024 · 4 comments · Fixed by #9170
Labels
security

Comments

@hauntsaninja
Copy link
Contributor

This would technically be a breaking change, so might need to wait for uv 0.6 (although "I have a hash but I expect it to not be checked" seems pretty niche). It's surprising to me that hashes are ignored by default and it's bad to have security related surprises

λ cat r.txt
pypyp==1.2.0 --hash=sha256:0000000000000000000000000000000000000000000000000000000000000000

λ uv pip install -r r.txt
Using Python 3.11.8 environment at /Users/shantanu/code/venvs/openai-fppa
Resolved 1 package in 26ms
Installed 1 package in 14ms
 + pypyp==1.2.0

λ uv pip uninstall pypyp 
Using Python 3.11.8 environment at /Users/shantanu/code/venvs/openai-fppa
Uninstalled 1 package in 62ms
 - pypyp==1.2.0

λ uv pip install -r r.txt --verify-hashes 
Using Python 3.11.8 environment at /Users/shantanu/code/venvs/openai-fppa
Resolved 1 package in 18ms
error: Failed to prepare distributions
  Caused by: Failed to download `pypyp==1.2.0`
  Caused by: Hash mismatch for `pypyp==1.2.0`

Expected:
  sha256:0000000000000000000000000000000000000000000000000000000000000000

Computed:
  sha256:45e2a0fbe5b7b5bb0be7e95bcb5b23d43ddae8c561410c9c336e6773005c70b1

See also #3305
@hauntsaninja
Copy link
Contributor Author

Note pip compatibility isn't really an argument here, since in the above example pip will automatically infer --require-hashes:

λ pip install -r r.txt                 
Collecting pypyp==1.2.0 (from -r r.txt (line 1))
  Using cached pypyp-1.2.0-py3-none-any.whl (15 kB)
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pypyp==1.2.0 from https://files.pythonhosted.org/packages/e0/6c/6a9eac381dd1f0d2e878ad6213fca24cfe5b3846db46b26d620301ac7624/pypyp-1.2.0-py3-none-any.whl (from -r r.txt (line 1)):
        Expected sha256 0000000000000000000000000000000000000000000000000000000000000000
             Got        45e2a0fbe5b7b5bb0be7e95bcb5b23d43ddae8c561410c9c336e6773005c70b1

@charliermarsh
Copy link
Member

Yeah I think --verify-hashes should pretty clearly be the default.

@charliermarsh
Copy link
Member

I think it's fine for this to go out in a patch release, personally.

@charliermarsh
Copy link
Member

(PR welcome or I'll get to it in the near future ofc.)

hauntsaninja added a commit to hauntsaninja/uv that referenced this issue Nov 17, 2024
@hauntsaninja
Turn --verify-hashes on by default
bf6a0a0 
Fixes astral-sh#9164
hauntsaninja added a commit to hauntsaninja/uv that referenced this issue Nov 17, 2024
@hauntsaninja
Turn --verify-hashes on by default
8bb839e 
Fixes astral-sh#9164
@hauntsaninja hauntsaninja mentioned this issue Nov 17, 2024
Merged
charliermarsh added a commit that referenced this issue Nov 18, 2024
@hauntsaninja @charliermarsh
Turn --verify-hashes on by default (#9170)
71d9c45 
Fixes #9164

Using clap's `default_value_t` makes the `flag` function unhappy, so
just set the default when we unwrap. Tested with no flags,
`--verify-hashes`, `--no-verify-hashes` and setting in uv.toml

---------

Co-authored-by: Charlie Marsh <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Turn --verify-hashes on by default hauntsaninja/uv
2 participants
@charliermarsh @hauntsaninja