The ultimate solution for this would be for Scikit-HEP-testdata to maintain a mapping (dict? JSON?) of filename → checksum, generated and hard-coded into each release, and then the skhep_testdata.data_path function would both check to see that a file with the right name exists and that it has the right checksum. Computing a checksum of a < 1 MB file shouldn't be too expensive. (It has to be done every time a user requests a file path, or at least once per change of the file's late modified date, but that's more complicated.) In Python, it can be computed with hashlib.hash.hexdigest (StackOverflow). And then there's the added complication of embedding a hard-coded filename → checksum mapping, which would presumably need to be computed during the release phase.
We just came across another reason why it's dangerous to only check cached files by name (other than https://github.com/scikit-hep/scikit-hep-testdata/issues/147#issuecomment-2015769482): tests of
uproot.updatemight change them in place and then subsequent tests are not testing what we think they're testing.The ultimate solution for this would be for Scikit-HEP-testdata to maintain a mapping (dict? JSON?) of filename → checksum, generated and hard-coded into each release, and then the
skhep_testdata.data_pathfunction would both check to see that a file with the right name exists and that it has the right checksum. Computing a checksum of a < 1 MB file shouldn't be too expensive. (It has to be done every time a user requests a file path, or at least once per change of the file's late modified date, but that's more complicated.) In Python, it can be computed with hashlib.hash.hexdigest (StackOverflow). And then there's the added complication of embedding a hard-coded filename → checksum mapping, which would presumably need to be computed during the release phase.