search

jku / pip

pip fork to experiment with PEP-458 implementation https://www.python.org/dev/peps/pep-0458/: See branch tuf-v2 (and tuf-mvp and tuf-mvp-vendored for earlier work)
https://pip.pypa.io/
MIT License
1 stars 0 forks source link

pep-458: What to do with target filename hash-prefixes? #2

Closed jku closed 4 years ago

jku commented 4 years ago

TUF Updater.download_target adds a hash-prefix to the download filename if the repository is consistent_snapshot: Warehouse does not currently provide this prefixed version (presumably because the path is already consistent).

In practice, given this target:

ca/ab/5e004afa025a6fb640c6e983d4983e6507421ff01be224da79ab7de7a21f/Django-3.0.8-py3-none-any.whl

tuf will try to download

<host>/<target_path>/ca/ab/5e004afa025a6fb640c6e983d4983e6507421ff01be224da79ab7de7a21f/caab5e004afa025a6fb640c6e983d4983e6507421ff01be224da79ab7de7a21f.Django-3.0.8-py3-none-any.whl

note the added filename prefix.

Should warehouse provide this or should tuf be able to recognise that consistent_snapshot does not mean hash_prefixed_filename?

jku commented 4 years ago

TUF client is getting an option to not add hash prefixes: that should work

jku commented 4 years ago

This is fixed in latest TUF versions