From 9d7fb2f8e403a40cfbf35237803e319363771308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= Date: Sun, 16 Apr 2023 12:13:36 +0200 Subject: [PATCH] Update docs about hash checking and wheel cache --- docs/html/topics/secure-installs.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/html/topics/secure-installs.md b/docs/html/topics/secure-installs.md index f012842b2ac..a5f335e9166 100644 --- a/docs/html/topics/secure-installs.md +++ b/docs/html/topics/secure-installs.md @@ -59,13 +59,13 @@ It is possible to use multiple hashes for each package. This is important when a ### Interaction with caching -The {ref}`locally-built wheel cache ` is disabled in hash-checking mode to prevent spurious hash mismatch errors. - -These would otherwise occur while installing sdists that had already been automatically built into cached wheels: those wheels would be selected for installation, but their hashes would not match the sdist ones from the requirements file. - -A further complication is that locally built wheels are nondeterministic: contemporary modification times make their way into the archive, making hashes unpredictable across machines and cache flushes. Compilation of C code adds further nondeterminism, as many compilers include random-seeded values in their output. +```{versionchanged} 23.1 +The {ref}`locally-built wheel cache ` is used in hash-checking mode too. +``` -However, wheels fetched from index servers are required to be the same every time. They land in pip's HTTP cache, not its wheel cache, and are used normally in hash-checking mode. The only downside of having the wheel cache disabled is thus extra build time for sdists, and this can be solved by making sure pre-built wheels are available from the index server. +When installing from the cache of locally built wheel in hash-checking mode, pip verifies +the hashes agains those of the original source distribution that was used to build the wheel. +These original hashes are obtained from a `origin.json` file stored in each cache entry. ### Using hashes from PyPI (or other index servers)