Consider supporting pip 8+ hash checking mode
See original GitHub issueHaving pipenv lock
record hashes for each package version would ensure cryptographically repeatable installation. If this tool isn’t meant for use in deployment, then this can be safely ignored, but the Pipfile
and Pipfile.lock
standards seem to me to be a good start in this direction, and some tooling around this would be nice. I use hashin for this currently, but it has some shortcomings (namely that it doesn’t seek out dependencies for you).
Thanks!
Issue Analytics
- State:
- Created 7 years ago
- Reactions:3
- Comments:15 (9 by maintainers)
Top Results From Across the Web
Secure installs - pip documentation v22.3.1
Hash -checking Mode# ... New in version 8.0. This mode uses local hashes, embedded in a requirements.txt file, to protect against remote tampering...
Read more >Pip verify packet integrity - Information Security Stack Exchange
Since version 8.0, pip can check downloaded package archives against local hashes to protect against remote tampering.
Read more >Constraints files with hashes - Discussions on Python.org
I don't think that would be acceptable. The core idea of hash checking mode is that everything is checked - by design.
Read more >pip Documentation
The get-pip.py script is supported on the same python version as pip. ... Hash-checking mode is a labor-saving alternative to running a private...
Read more >hashin - PyPI
Helps you write your requirements.txt with hashes so you can install with pip install --require-hashes -r ... If you want to add a...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I’m happy to render at least design aid, since I wrote the hash-checking stuff in pip 8.
Wow that was fast. Thanks @kennethreitz!