Open pnasrat opened 1 month ago
dhellmann
commented
1 month ago Manually managing those would eliminate some of the benefits of the templated URL feature, since you would have to edit the config anyway. OTOH, I could see some value in being able to check the signatures.
How does a user determine the hash values? Could fromager get them that way, too?
pnasrat
commented
1 month ago Ignoring the override case adding support for sources that are on PEP 503 compliant indexes then the hash will be in the urlfragment. or per PEP 714 uses core-metadata for hashes.
Currently get_project_from_pypi in resolver.py would have the access to the href and attributed to do that, but wiring that through so the source download code has access to i
For other url overrides that would really depend on the external source - in my case I noticed this building dask-gateway which needed both the source download and build_dir set as the source download on pypi doesn't include theh requirements.txt that its setup.py loads. I set it to the github tag archive download url.
I understand your concern about manually managing these, and adding them would only make sense if archive validation was being done on the current source downloads.
pnasrat
commented
1 month ago It looks like some work on extra metadata into candidates is in
I had to use the download_source override for a package build recently and it got me thinking if hash support should be added
I was thinking of something like the following
That would get added to packagesettings possibly
However when I started to look at the codebase to add it doesn't look like
_download_source_checkvalidates the hashes of downloads from pypi, so before proceeding further I wanted to open for discussion.