Downloads Hashing Command Line and Requirements File

[dstufft]

It is my understanding that pip is supposed to check the passed in hash if it is included in either the requirements file or the command line. This appears to not be currently happening.

These all succeed:

pip install -r requirements.txt # With a randomly typed hash

pip install http://..#md5=random

[carljm]

Confirmed that this is an issue; pull request welcome.

[acdha]

https://github.com/acdha/pip/tree/issue-468-url-hash-fragment-support has a very simple fix for the second case. This does not work for non-URL installs (e.g. pip install "pkg#md5=wtf") which is probably correct but should trigger an error indicating that the specified value is being ignored in favor of whatever PyPI says.

[jezdez]

FWIW, it's suppose to check the hashes from links it finds on PyPI, not passed from the command line AFAIK.

[acdha]

@jezdez What about non-PyPI packages? I was thinking that this would be a great way to have people who need / want to use packages which aren't on PyPI (e.g. Github tarballs, internal repos) to have a backup which isn't insecure

[carljm]

Right, I think this is really a new feature, not a bug, since it's never been documented that you can do this. But that doesn't really matter - it's a very useful feature with no downside that I can see.

[d1b]

@carljm rubbish this feature is hinted at in the pip documentation (I would consider this a bug not a new feature): from http://www.pip-installer.org/en/latest/usage.html#package-checksum-hashes , "PyPI provides a md5 hash of a package by having the link to the package include a #md5=. pip supports this, as well as any of the guaranteed hashlib algorithms (sha1, sha224, sha384, sha256, sha512, md5)."

[pnasrat]

@dstufft has done recent work on this. Any comments Donald?

[pnasrat]

@d1b have you tested with latest pip or develop branch?

[qwcode]

it's reasonable to want pip install http://..somepackage.tar.gz#md5=HASH to check the hash,
but I'm not sure what this means from the description pip install -r requirements.txt # With a randomly typed hash
there's a url requirement in the requierments file with a random hash tacked onto to it?

[d1b]

@pnasrat are you suggesting that this bug has been fixed in pip already? It certainly appears not to have been fixed -->

~/.local/bin/pip install http://localhost:4344/archive.zip#md5=123
Downloading/unpacking http://localhost:4344/archive.zip
Downloading archive.zip
Running setup.py egg_info for package from http://localhost:4344/archive.zip

[d1b]

@qwcode I believe @dstufft meant to suggest that the requirements.txt file contained a line like 'http://..#md5=random' (a hash for an individual entry not for the whole file).

[dstufft]

This is more or less solved with pep 8's explicit hash checking mode.