uv icon indicating copy to clipboard operation
uv copied to clipboard
verified publisher icon astral-sh

Implied "--require-hashes"?

Open helderco opened this issue 1 year ago ā€¢ 6 comments

It's great to have the new --require-hashes option, but can it be implied if installing from a requirements file with hashes?

It's what pip does:

--require-hashes Require a hash to check each requirement against, for repeatable installs. This option is implied when any package in a requirements file has a --hash option.

The reason I need this is because I need to make a container image that installs dependencies from a requirements file, but I don't know if that file will have hashes or not.

helderco avatar Apr 29 '24 10:04 helderco

Seems reasonable!

zanieb avatar Apr 29 '24 14:04 zanieb

Somewhat interested in finding other designs here, Iā€™m generally not a fan of implied settings.

charliermarsh avatar Apr 29 '24 14:04 charliermarsh

pip install checks hashes by default if a requirements file contains hashes. You could disable it with --no-require-hashes.

Or introduce an explicit --verify-hashes that checks them if they exist, but otherwise doesn't "require" them.

helderco avatar Apr 30 '24 12:04 helderco

Hey! šŸ‘‹ Any update on this? In Dagger, hashes are only checked if uv is disabled explicitly. šŸ˜…

helderco avatar May 29 '24 19:05 helderco

I added it in https://github.com/astral-sh/uv/pull/4007.

charliermarsh avatar Jun 04 '24 01:06 charliermarsh

I think it's important for the defaults to be secure. Maybe uv could have the proposed --verify-hashes behaviour on by default? ("I have a hash but I expect it to not be checked" seems pretty niche)

hauntsaninja avatar Jun 25 '24 00:06 hauntsaninja