Open helderco opened 2 months ago
Seems reasonable!
Somewhat interested in finding other designs here, Iām generally not a fan of implied settings.
pip install
checks hashes by default if a requirements file contains hashes. You could disable it with --no-require-hashes
.
Or introduce an explicit --verify-hashes
that checks them if they exist, but otherwise doesn't "require" them.
Hey! š Any update on this? In Dagger, hashes are only checked if uv is disabled explicitly. š
I added it in https://github.com/astral-sh/uv/pull/4007.
I think it's important for the defaults to be secure. Maybe uv could have the proposed --verify-hashes
behaviour on by default? ("I have a hash but I expect it to not be checked" seems pretty niche)
It's great to have the new
--require-hashes
option, but can it be implied if installing from a requirements file with hashes?It's what
pip
does:The reason I need this is because I need to make a container image that installs dependencies from a requirements file, but I don't know if that file will have hashes or not.