You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Compute the sha256 when downloading a distribution (both source dist and wheel), store them in the cache (and make sure to keep in sync with cache invalidation) or check that they match the File description (TODO: Does this have a perf impact? If yes, do we always want to do this or only if the registry doesn't tell us the sha?)
When installing, check the hashes
Ignore distribution with mismatching hashes: A better matching wheel might have been uploaded since the lockfile was created, but we have to ignore it in hash checking more and fall back to the next file. Report when there is no distribution because non matched the hashes (but would without hashes)
See https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode
pip-compileoutput #131requirements.txtformat (https://pip.pypa.io/en/stable/reference/requirements-file-format/#per-requirement-options)Filedescription (TODO: Does this have a perf impact? If yes, do we always want to do this or only if the registry doesn't tell us the sha?)