thanks On Saturday, 27 July 2019 22:33:31 UTC+1, Chris Jerdonek wrote: > > On Fri, Jul 26, 2019 at 4:57 AM Ioakim Ioakim <ioak...@gmail.com > <javascript:>> wrote: > >> I am not sure. I am just looking to find where in the source code a >> package gets verified before being installed on a client's machine >> > > If you're using pip with e.g. --require-hashes, it looks like these (after > a quick search) are the two main places in pip's code where pip checks the > hashes of downloaded files: > > * in _download_url(): > https://github.com/pypa/pip/blob/2e51624bbb42c83ac3ec5898f71657ea5186a784/src/pip/_internal/download.py#L858-L859 > * in unpack_file_url(): > https://github.com/pypa/pip/blob/2e51624bbb42c83ac3ec5898f71657ea5186a784/src/pip/_internal/download.py#L959-L965 > > --Chris > >
-- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/5775612b-bc17-40f7-9015-5d4afba6b741%40googlegroups.com.