-
Notifications
You must be signed in to change notification settings - Fork 682
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support hash checking against RECORD
#888
Comments
During installation or for an existing venv? install-wheel-rs can do during installation, but it's turned off by default for perf reason (sha256 is slow) and because pip also didn't validate last time i checked. For an existing venv, https://github.com/konstin/poc-monotrail/blob/main/crates/monotrail/src/verify_installation.rs implements this. |
For us, installation is linking, so it should really happen when unzipping into the cache. |
Or we could do it after-the-fact as part of our venv validation... |
Related topic (let me know if I should create a separate issue): Currently most python packaging tooling doesn't have any kind of guardrails against the clobbering of files in one whl from another whl. This is basically undefined behavior -- depending on the order the final venv will be different. There are packages in the wild that include things like empty @hauntsaninja proposed that we could do a hash check against the What do you think about this idea? Maybe there is a better way to achieve more strict semantic? |
We should validate the hash of each individual file in the wheel against the hash recorded in
RECORD
. (This is distinct from the hash-checking mode described in #131 and #474.)The text was updated successfully, but these errors were encountered: