Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pip may record an invalid hash in cache entries #11943

Open
1 task done
sbidoul opened this issue Apr 10, 2023 · 1 comment
Open
1 task done

Pip may record an invalid hash in cache entries #11943

sbidoul opened this issue Apr 10, 2023 · 1 comment
Labels
C: cache Dealing with cache and files in it type: bug A confirmed bug or unintended behavior

Comments

@sbidoul
Copy link
Member

sbidoul commented Apr 10, 2023

Description

In some circumstances, pip may record an invalid hash in the origin.json file in wheel cache entries.

This happens when an invalid hash is provided as URL fragment, together with a good hash provided with --hash.
In such cases pip does not validate the hash provided as URL fragment.
The cache logic however assumes such hash has been validated elsewhere in pip and records it without verifying it.

Expected behavior

We should probably compute a set of strong hash when generating origin.json.

Besides resolving this bug, this would also be more predictable, with known hash algorithms recorded in cache entries.

pip version

Since 22.2

Python version

any

OS

any

How to Reproduce

Create and install a requirements.txt like this:

simple @ https://github.com/pypa/pip/raw/23.0.1/tests/data/packages/simple-1.0.tar.gz#sha256=invalid \
  --hash sha256:393043e672415891885c9a2a0929b1af95fb866d6ca016b42d2e6ce53619b653

Notice the hash recorded in origin.json is invalid.

Output

No response

Code of Conduct
@sbidoul sbidoul added type: bug A confirmed bug or unintended behavior S: needs triage Issues/PRs that need to be triaged C: cache Dealing with cache and files in it and removed S: needs triage Issues/PRs that need to be triaged labels Apr 10, 2023
@sbidoul
Copy link
Member Author

sbidoul commented Apr 10, 2023

I am not sure this behaviour of ignoring the link hash when a good --hash is provided is intentional or not.

Related:

@sbidoul sbidoul mentioned this issue Apr 13, 2023
Merged
1 task
@cosmicexplorer cosmicexplorer mentioned this issue Aug 1, 2023
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: cache Dealing with cache and files in it type: bug A confirmed bug or unintended behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sbidoul