-
-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Support dependency hashing #716
Comments
You might want to look at https://github.com/sbidoul/hatch-pip-deepfreeze Reading through the plugin source code, I can see that developing a plugin for And I assume the only reason See also: https://hatch.pypa.io/latest/meta/faq/#libraries-vs-applications |
It's not quite as easy as it appears based on the dive into the code that I did the other day. Hatch is using A purpose of hashing requirements is to protect a build system from a specific type of supply chain attack -- one where the upstream repository is compromised and a package has been replaced on the server. Unfortunately, |
Thanks for extended explanation and motivation.
That's a revelation for me. Well, then I guess it indeed needs handling on Btw, pypa/pip#10748 that docs reference to is now closed and Does this mean there's no blockers for locking feature then? |
I should have been more specific in my original description, but this basically nails it. Thanks :) I have been working around things for now by using |
Given the focus on supply chain hardening these days, I was a little surprised to see that Hatch doesn't support dependency hashing.
Requirements files with hashes (generated by pip-compile in this case) typically take the form:
I only just started investigating Hatch so I have no idea how this could work in practice. I filed a similar bug on hatch-requirements-txt as ideally I want to read the contents of requirements files that are generated by pip-compile, but that could/would be difficult in this project without the above plugin.
The text was updated successfully, but these errors were encountered: