Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

get sha256 hash from /simple (PEP503) endpoint #1135

Open
graingert opened this issue May 4, 2020 · 2 comments · May be fixed by #1670
Open

get sha256 hash from /simple (PEP503) endpoint #1135

graingert opened this issue May 4, 2020 · 2 comments · May be fixed by #1670
Labels
enhancement Improvements to functionality hashes Related to hashes generated via --generate-hashes

Comments

@graingert
Copy link
Member

graingert commented May 4, 2020
edited

What's the problem this feature will solve?

when using devpi or other non- pypi.org servers the hashing falls back to downloading the asset and hashing it locally

Describe the solution you'd like

use the sha256 hash from the /simple endpoint pypi.org and devpi both provide sha256 hashes as a fragment in their href

It's optional and may not include the user' preferred hash function, so pip-compile should still fall-back on the JSON api/downloading assets:

The URL SHOULD include a hash in the form of a URL fragment with the following syntax: #=, where is the lowercase name of the hash function (such as sha256) and is the hex encoded digest.
Repositories SHOULD choose a hash function from one of the ones guaranteed to be available via the hashlib module in the Python standard library (currently md5, sha1, sha224, sha256, sha384, sha512). The current recommendation is to use sha256.

for example artifactory's pypi implementation only puts md5 in the fragment of their simple href https://www.jfrog.com/jira/browse/RTFACT-18495
Artifactory now supports sha256 in the simple api

Alternative Solutions

devpi/devpi#801 (comment)

Additional context

/cc @fschulze
#1109
view-source on: https://m.devpi.net/root/pypi/+simple/devpi-server/
and view-source on: https://pypi.org/simple/devpi-server/
@graingert graingert changed the title get sha256 hash from simple endpoint get sha256 hash from /simple endpoint May 4, 2020
@graingert graingert changed the title get sha256 hash from /simple endpoint get sha256 hash from /simple (PEP503) endpoint May 4, 2020
@atugushev atugushev added feature Request for a new feature enhancement Improvements to functionality and removed feature Request for a new feature labels May 16, 2020
@graingert
Copy link
Member Author

Another option that would be standardized across HTTP hosts
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Digest

@atugushev atugushev added the hashes Related to hashes generated via --generate-hashes label Jul 26, 2020
@graingert graingert mentioned this issue Nov 21, 2020
Draft
3 tasks
@graingert
Copy link
Member Author

Artifactory now supports sha256 in the simple api

This was referenced Aug 18, 2022
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Improvements to functionality hashes Related to hashes generated via --generate-hashes
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Get hash from link michael-k/pip-tools
2 participants
@graingert @atugushev