Implied "--require-hashes"?

astral-sh / uv

An extremely fast Python package installer and resolver, written in Rust.

https://astral.sh/

Apache License 2.0

14.77k stars 419 forks source link

Implied "--require-hashes"? #3305

Open helderco opened 2 months ago

helderco commented 2 months ago

It's great to have the new --require-hashes option, but can it be implied if installing from a requirements file with hashes?

It's what pip does:

--require-hashes Require a hash to check each requirement against, for repeatable installs. This option is implied when any package in a requirements file has a --hash option.

The reason I need this is because I need to make a container image that installs dependencies from a requirements file, but I don't know if that file will have hashes or not.

zanieb commented 2 months ago

Seems reasonable!

charliermarsh commented 2 months ago

Somewhat interested in finding other designs here, I’m generally not a fan of implied settings.

helderco commented 2 months ago

pip install checks hashes by default if a requirements file contains hashes. You could disable it with --no-require-hashes.

Or introduce an explicit --verify-hashes that checks them if they exist, but otherwise doesn't "require" them.

helderco commented 1 month ago

Hey! 👋 Any update on this? In Dagger, hashes are only checked if uv is disabled explicitly. 😅

charliermarsh commented 1 month ago

I added it in https://github.com/astral-sh/uv/pull/4007.

hauntsaninja commented 2 weeks ago

I think it's important for the defaults to be secure. Maybe uv could have the proposed --verify-hashes behaviour on by default? ("I have a hash but I expect it to not be checked" seems pretty niche)