diff --git a/peps/pep-0710.rst b/peps/pep-0710.rst index cc4316871fd..98b99dcabe3 100644 --- a/peps/pep-0710.rst +++ b/peps/pep-0710.rst @@ -446,6 +446,17 @@ contain any entries. In such cases, pip does not create any is encouraged for consumers to rebuild wheels with a newer version of pip in these cases. +uv developers `raised a concern about requiring at least one hash +`__ in the ``provenance_url.json`` file +as uv does not calculate distribution hashes unless explicitly required. +However, requiring at least one hash aids in integrity checks for +distributions. This is important in scenarios involving lock files or when +identifying distributions as part of SBOMs. The ``provenance_url.json`` file +mandates the inclusion of at least one hash for the downloaded distribution. +Installers that do not compute hashes of distributions as part of the +installation process (e.g., due to performance reasons) can omit creating the +``provenance_url.json`` file. + Making the hashes key optional ------------------------------ @@ -670,10 +681,10 @@ which this idea originated. Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback and support to work on this PEP. -Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for -reviewing this PEP and providing valuable suggestions. +Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner +for reviewing this PEP and providing valuable suggestions. -Thanks to Seth Michael Larson for providing valuable suggestions and for +Thanks to Seth Michael Larson for support, providing valuable suggestions and for the proposed pip-sbom prototype. Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`, and related @@ -684,6 +695,8 @@ Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`, and related Thanks to Frost Ming for raising possible concern around storing index URL in the ``provenance_url.json`` file and initial PEP 710 support in PDM. +Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer. + Last, but not least, thanks to Donald Stufft for sponsoring this PEP. Copyright