On Fri, Jul 26, 2019 at 4:57 AM Ioakim Ioakim <ioaki...@gmail.com> wrote:
> I am not sure. I am just looking to find where in the source code a > package gets verified before being installed on a client's machine > If you're using pip with e.g. --require-hashes, it looks like these (after a quick search) are the two main places in pip's code where pip checks the hashes of downloaded files: * in _download_url(): https://github.com/pypa/pip/blob/2e51624bbb42c83ac3ec5898f71657ea5186a784/src/pip/_internal/download.py#L858-L859 * in unpack_file_url(): https://github.com/pypa/pip/blob/2e51624bbb42c83ac3ec5898f71657ea5186a784/src/pip/_internal/download.py#L959-L965 --Chris -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/CAOTb1we3mg9Z%3DKOF5AsKPPo%2BpAkyq60JfCNkjXu4xRmBMJkJFg%40mail.gmail.com.