Thanks guys On Saturday, 27 July 2019 00:29:45 UTC+1, Ian Stapleton Cordasco wrote: > > To be clear, there is no verification or scanning of source code. Not is > there verification of origin. PyPI generates hashes that are used to verify > the integrity of what was uploaded there and then downloaded > > Sent from my phone with my typo-happy thumbs. Please excuse my brevity > > On Fri, Jul 26, 2019, 11:41 Brett Cannon <br...@python.org <javascript:>> > wrote: > >> Sviatoslav >> >> >> On Fri, Jul 26, 2019 at 4:58 AM Ioakim Ioakim <ioak...@gmail.com >> <javascript:>> wrote: >> >>> I am not sure. I am just looking to find where in the source code a >>> package gets verified before being installed on a client's machine >>> >> >> Unfortunately something stripped out what you were replying to, Ioakim, >> but I assume it was to Sviatoslav and his --require-hashes suggestion, in >> which case that's what you're looking for if you want to verify what you >> downloaded matches what PyPI has. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "pypa-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to pypa...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/pypa-dev/CAP1%3D2W5YzPxkFaUeoe0%3Dsq%3DFi43HqRMWo0tay6LYYA8cUKXW9A%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/pypa-dev/CAP1%3D2W5YzPxkFaUeoe0%3Dsq%3DFi43HqRMWo0tay6LYYA8cUKXW9A%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >
-- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/452fc22d-aa69-4398-8730-5739b0eb7fcf%40googlegroups.com.