pypa
Optionally don't write a RECORD file
The RECORD file is a partial list of files in the wheel and their hashes. Quoting from PEP 0491:
RECORD is a list of (almost) all the files in the wheel and their secure hashes. Unlike PEP 376, every file except RECORD, which cannot contain a hash of itself, must include its hash. The hash algorithm must be sha256 or better; specifically, md5 and sha1 are not permitted, as signed wheel files rely on the strong hashes in RECORD to validate the integrity of the archive.
It's incredibly useful to have this inside the wheel at installation time, but if the target is not going to be managed by a python package manager then it's just pointless. For example, a Linux distribution package of Python won't need the RECORD file: it already has tooling for the list of files and their hashes.
The rationale to remove the file entirely instead of just ignoring it is that when the file is present, pip thinks it can use it. This means sudo pip can remove files from the system packages, which is asking for trouble.
Interesting prior art:
- Gentoo prunes the dist-info directory massively, including RECORDS: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73c49f3c00415dee99407dabba8d3b22895c9d25
- Debian removes the RECORD file: https://salsa.debian.org/python-team/tools/dh-python/-/blob/master/dhpython/fs.py?ref_type=heads#L185
Instead of these tools having to go in and remove files, it would be nice if installer had an option to stop it writing the file in the first place.
Fedora also removes the RECORD file: https://src.fedoraproject.org/rpms/pyproject-rpm-macros/blob/rawhide/f/macros.pyproject#_105.
Personally, I don't think we should do that. I understand that some Linux distributions might delete that file, but it is part of the standard, and adding an option to bypass it might encourage people to operate outside of standards.
Put Yocto/OpenEmbedded on the list of distributions which manually nuke this file: https://lore.kernel.org/openembedded-core/[email protected]/T/#t.