Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify which dependencies the hash-checking mode applies to #11974

Open
1 task done
manueljacob opened this issue Apr 17, 2023 · 2 comments
Open
1 task done

Clarify which dependencies the hash-checking mode applies to #11974

manueljacob opened this issue Apr 17, 2023 · 2 comments
Labels
state: awaiting PR Feature discussed, PR is needed type: docs Documentation related type: feature request Request for a new feature

Comments

@manueljacob
Copy link

manueljacob commented Apr 17, 2023

Problem

The hash-checking mode documentation says that “Hashes are required for all dependencies”. However, in fact hashes are not required for build-time dependencies.

Possible solutions

I can see two possible solutions:

  • Extend hash-checking mode to actually apply to “all dependencies”.
  • Change the documentation to clarify that build-time dependencies are not hash-checked.

Triaging note

I wasn’t sure whether this is a bug report or a feature request because that depends on the exact intention behind saying “all dependencies”.

Code of Conduct

@manueljacob manueljacob added S: needs triage Issues/PRs that need to be triaged type: feature request Request for a new feature labels Apr 17, 2023
@sbidoul sbidoul added type: docs Documentation related and removed S: needs triage Issues/PRs that need to be triaged labels Apr 17, 2023
@pradyunsg pradyunsg changed the title Clarify which dependencies the hash-checking mode applies to. Clarify which dependencies the hash-checking mode applies to Apr 17, 2023
@pradyunsg pradyunsg added the state: awaiting PR Feature discussed, PR is needed label Apr 17, 2023
@pradyunsg
Copy link
Member

Seems reasonable.

I've labelled this issue as an "awaiting PR". This label is essentially for indicating that the next step here is for someone to file a PR implementing the suggested change.

@sbidoul
Copy link
Member

sbidoul commented Apr 17, 2023

Side note: I was going to suggest setting a PIP_CONSTRAINT env var (from #9542 (comment)) as a workaround to propagate hashes to the build step, but constraints do not currently satisfy --require-hashes (#9243, I think).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
state: awaiting PR Feature discussed, PR is needed type: docs Documentation related type: feature request Request for a new feature
Projects
None yet
Development

No branches or pull requests

3 participants