Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add additional wheel validation checks #7982

Open
pradyunsg opened this issue Apr 4, 2020 · 2 comments
Open

Add additional wheel validation checks #7982

pradyunsg opened this issue Apr 4, 2020 · 2 comments
Labels
C: wheel The wheel format and 'pip wheel' command kind: backwards incompatible Would be backward incompatible type: feature request Request for a new feature

Comments

@pradyunsg
Copy link
Member

pradyunsg commented Apr 4, 2020
edited
Loading

I [@pfmoore] propose the following checks:

  1. That the wheel has a METADATA file conforming to the PEP 314 spec. RFC822 format, with a subset of the mandatory keys present - Metadata-Version, Name, Version, Summary, Author-Email, License.
  2. That the wheel has a RECORD file with lines for METADATA, WHEEL and RECORD. I'd like to think that checking hashes is overkill. However, the page linked in the issue report seems to be recommending deliberately omitting required aspects of the spec if you can get away with it, so I'm forced to consider that checking a couple of hashes (METADATA and WHEEL) might be sufficient to make omitting hashes too hard to be worth bothering about.
  3. That all files in the wheel are mentioned in RECORD.

These checks are not comprehensive - the idea is to ensure people aren't uploading corrupt wheels, not to act as a full validation suite.

I'm honestly saddened that we need to do this. Deliberate violation of the wheel spec seems like the sort of bevaviour that should be fixable simply by letting the author of the invalid wheel know of their mistake. Having to defend against deliberate attempts to undermine the standardisation work going on is depressing.

Originally posted by @pfmoore in #3513 (comment)

Creating a follow up issue, to be able to track actually doing this. :)
@triage-new-issues triage-new-issues bot added the S: needs triage Issues/PRs that need to be triaged label Apr 4, 2020
@pradyunsg pradyunsg added C: wheel The wheel format and 'pip wheel' command kind: backwards incompatible Would be backward incompatible type: feature request Request for a new feature labels Apr 4, 2020
@triage-new-issues triage-new-issues bot removed S: needs triage Issues/PRs that need to be triaged labels Apr 4, 2020
@xavfernandez
Copy link
Member

Somewhat related to #7179

@dholth
Copy link
Member

dholth commented Apr 7, 2020

bdist_wheel's unpacker, which is not used in pip, originally checked all hashes automatically as each file was extracted. (try the wheel unpack command on an invalid file)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: wheel The wheel format and 'pip wheel' command kind: backwards incompatible Would be backward incompatible type: feature request Request for a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dholth @xavfernandez @pradyunsg