Whitelist by hash

[jtrakk]

Hello, just found out about this project. I'm wondering if it'd be possible to whitelist artifacts by hash instead of by version number. This would be a neat boost to the security benefits offered by devpi.

[fschulze]

You mean like hash mode in pip: https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode This should be possible, but only using metadata, otherwise the performance overhead would be way too high. If you want to do a PR then I can give you some pointers. Otherwise it would be possible to contact us via https://merlinux.eu to sponsor this feature.

[jtrakk]

Right, like pip hash. Related tools:

• https://pypi.org/project/hashin/
• https://github.com/jazzband/pip-tools

What do you mean by "only using metadata"?

[fschulze]

It would not check the sha of the data each time it filters, but instead rely on the sha stored in the metadata at upload time for regular indexes and the sha from the url for mirror indexes. This should be sufficient, but there are some corner cases where it might not be (using the mirror_use_external_urls on mirror indexes for example, the mirror might still send something else). The only real way to protect against that is letting pip do it after download.