New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always require hashes for wheels in lockfile #3528
Conversation
2304794
to
081d213
Compare
081d213
to
9deda9b
Compare
|
||
[[distribution.wheel]] | ||
url = "file:///foo/bar/anyio-4.3.0-py3-none-any.whl" | ||
hash = "sha256:048e05d0f6caeed70d731f3db756d35dcc1f35747c8c403364a8332c630441b8" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm the purpose of this test was to check a case where a hash is given but should not be present. And the purpose of the test above was to check a case where a hash is missing but should be present. i.e., They should both be checking error cases.
if requires_hash != wheel.hash.is_some() { | ||
return Err(LockError::hash(dist.id.clone(), "wheel", requires_hash)); | ||
if wheel.hash.is_none() { | ||
return Err(LockError::hash(dist.id.clone(), "wheel", true)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I basically agree with the end effect here, but I don't think this is actually internally consistent. The reason why I made it possible for hash checking in wheels to be optional is because this is what the data model currently supports:
uv/crates/uv-resolver/src/lock.rs
Lines 739 to 745 in eab2b83
fn from_path_dist(path_dist: &PathBuiltDist) -> Wheel { | |
Wheel { | |
url: path_dist.url.to_url(), | |
hash: None, | |
filename: path_dist.filename.clone(), | |
} | |
} |
The problem here, as far as I can tell, is that not all "built" distributions have hashes attached to them. So when they make it to the lock file data structure, there's no hash to include.
What this means is that this checking will reject lock files that can be generated right now.
With that said, I do agree that this change is, I think, what we want our end state to be. I don't think I feel strongly about whether we do the stricter checking now, but I did kind of feel like the checking should be consistent with our serialization. If not, then perhaps a comment here explaining the inconsistency would be helpful.
I agree with what you wrote. |
Summary
I think we do always want hashes for wheels (since a wheel is a zip file -- we can always hash it). But hashes are optional for source distributions: if we have a Git repo as the source, there's no way to compute a hash of it in the standards.
In general, if the user ends up needing to build from source, then we compare the hash of the source; if they use a pre-built wheel, then we compare the hash of the wheel.