Closed rbanffy closed 3 years ago
Yogendra0Sharma
commented
6 years ago @rbanffy : how cloud we get hash value of installed packages using PIP. as i know we have PIP hash command to get hash value of downloaded packages. but our site-packages contains installed folder and we are not able to get hash value. please suggest some way to get hash vlaue.
rbanffy
commented
6 years ago It may be entirely possible we need to also change PIP so that it keeps this information alongside the rest of the downloaded package.
Yogendra0Sharma
commented
6 years ago @rbanffy Thanks for the response. do we create a new issue to PIP branch for this feature?
rbanffy
commented
6 years ago Probably it'd be best. PIP needs to store this information somewhere in the package directory. This would, however, be insecure - if you get write access to the directory and can modify the hash file and someone pip-chills the environment, an invalid hash would be generated, enabling a corrupted package to be installed in other machines (if combined to other man-in-the-middle attacks).
I can't see a way to leverage this that does not involve an already thoroughly compromised environment, but, still, it's worth thinking about.
github-actions[bot]
commented
3 years ago Stale issue message
Description
When doing a pip-chill, we output the version of the installed packages that don't depend on other packages. We should also be able to list the hashes, to have further assurance we are getting the same versions.
What I Did
N/A