When listing packages with versions, add an option to output hashes too

Question

When listing packages with versions, add an option to output hashes too

rbanffy opened this issue 7 years ago · 5 comments

PIP Chill version: N/A
Python version: N/A
Operating System: N/A

Description

When doing a pip-chill, we output the version of the installed packages that don't depend on other packages. We should also be able to list the hashes, to have further assurance we are getting the same versions.

What I Did

N/A

Answer 1 · 2017-10-04T08:33:02.000Z

@rbanffy : how cloud we get hash value of installed packages using PIP.
as i know we have PIP hash command to get hash value of downloaded packages. but our site-packages contains installed folder and we are not able to get hash value. please suggest some way to get hash vlaue.

Answer 2 · 2017-10-05T21:40:16.000Z

It may be entirely possible we need to also change PIP so that it keeps this information alongside the rest of the downloaded package.

Answer 3 · 2017-10-06T05:04:12.000Z

@rbanffy Thanks for the response.
do we create a new issue to PIP branch for this feature?

Answer 4 · 2017-10-12T06:51:14.000Z

Probably it'd be best. PIP needs to store this information somewhere in the package directory. This would, however, be insecure - if you get write access to the directory and can modify the hash file and someone pip-chills the environment, an invalid hash would be generated, enabling a corrupted package to be installed in other machines (if combined to other man-in-the-middle attacks).

I can't see a way to leverage this that does not involve an already thoroughly compromised environment, but, still, it's worth thinking about.

Answer 5 · 2021-01-05T02:31:54.000Z

Stale issue message