Re: package verification

2019-07-28 Thread Ioakim Ioakim 
thanks

On Saturday, 27 July 2019 22:33:31 UTC+1, Chris Jerdonek wrote:
>
> On Fri, Jul 26, 2019 at 4:57 AM Ioakim Ioakim  > wrote:
>
>> I am not sure. I am just looking to find where in the source code a 
>> package gets verified before being installed on a client's machine
>>
>
> If you're using pip with e.g. --require-hashes, it looks like these (after 
> a quick search) are the two main places in pip's code where pip checks the 
> hashes of downloaded files:
>
> * in _download_url(): 
> https://github.com/pypa/pip/blob/2e51624bbb42c83ac3ec5898f71657ea5186a784/src/pip/_internal/download.py#L858-L859
> * in unpack_file_url(): 
> https://github.com/pypa/pip/blob/2e51624bbb42c83ac3ec5898f71657ea5186a784/src/pip/_internal/download.py#L959-L965
>
> --Chris
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"pypa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pypa-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pypa-dev/5775612b-bc17-40f7-9015-5d4afba6b741%40googlegroups.com.

Re: package verification

2019-07-27 Thread Chris Jerdonek 
On Fri, Jul 26, 2019 at 4:57 AM Ioakim Ioakim  wrote:

> I am not sure. I am just looking to find where in the source code a
> package gets verified before being installed on a client's machine
>

If you're using pip with e.g. --require-hashes, it looks like these (after
a quick search) are the two main places in pip's code where pip checks the
hashes of downloaded files:

* in _download_url():
https://github.com/pypa/pip/blob/2e51624bbb42c83ac3ec5898f71657ea5186a784/src/pip/_internal/download.py#L858-L859
* in unpack_file_url():
https://github.com/pypa/pip/blob/2e51624bbb42c83ac3ec5898f71657ea5186a784/src/pip/_internal/download.py#L959-L965

--Chris

-- 
You received this message because you are subscribed to the Google Groups 
"pypa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pypa-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pypa-dev/CAOTb1we3mg9Z%3DKOF5AsKPPo%2BpAkyq60JfCNkjXu4xRmBMJkJFg%40mail.gmail.com.

Re: package verification

2019-07-27 Thread Ioakim Ioakim 
Thanks guys

On Saturday, 27 July 2019 00:29:45 UTC+1, Ian Stapleton Cordasco wrote:
>
> To be clear, there is no verification or scanning of source code. Not is 
> there verification of origin. PyPI generates hashes that are used to verify 
> the integrity of what was uploaded there and then downloaded
>
> Sent from my phone with my typo-happy thumbs. Please excuse my brevity
>
> On Fri, Jul 26, 2019, 11:41 Brett Cannon > 
> wrote:
>
>> Sviatoslav
>>
>>
>> On Fri, Jul 26, 2019 at 4:58 AM Ioakim Ioakim > > wrote:
>>
>>> I am not sure. I am just looking to find where in the source code a 
>>> package gets verified before being installed on a client's machine
>>>
>>
>> Unfortunately something stripped out what you were replying to,  Ioakim, 
>> but I assume it was to Sviatoslav and his --require-hashes suggestion, in 
>> which case that's what you're looking for if you want to verify what you 
>> downloaded matches what PyPI has.
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "pypa-dev" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to pypa...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/pypa-dev/CAP1%3D2W5YzPxkFaUeoe0%3Dsq%3DFi43HqRMWo0tay6LYYA8cUKXW9A%40mail.gmail.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"pypa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pypa-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pypa-dev/452fc22d-aa69-4398-8730-5739b0eb7fcf%40googlegroups.com.

Re: package verification

2019-07-26 Thread Ian Stapleton Cordasco 
To be clear, there is no verification or scanning of source code. Not is
there verification of origin. PyPI generates hashes that are used to verify
the integrity of what was uploaded there and then downloaded

Sent from my phone with my typo-happy thumbs. Please excuse my brevity

On Fri, Jul 26, 2019, 11:41 Brett Cannon  wrote:

> Sviatoslav
>
>
> On Fri, Jul 26, 2019 at 4:58 AM Ioakim Ioakim  wrote:
>
>> I am not sure. I am just looking to find where in the source code a
>> package gets verified before being installed on a client's machine
>>
>
> Unfortunately something stripped out what you were replying to,  Ioakim,
> but I assume it was to Sviatoslav and his --require-hashes suggestion, in
> which case that's what you're looking for if you want to verify what you
> downloaded matches what PyPI has.
>
> --
> You received this message because you are subscribed to the Google Groups
> "pypa-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pypa-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/pypa-dev/CAP1%3D2W5YzPxkFaUeoe0%3Dsq%3DFi43HqRMWo0tay6LYYA8cUKXW9A%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"pypa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pypa-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pypa-dev/CAN-Kwu1zp3ykj8S%3D1kPGYUy_GagTC5gULDWmeRR4OtwGj5JPQQ%40mail.gmail.com.

Re: package verification

2019-07-26 Thread Brett Cannon 
Sviatoslav


On Fri, Jul 26, 2019 at 4:58 AM Ioakim Ioakim  wrote:

> I am not sure. I am just looking to find where in the source code a
> package gets verified before being installed on a client's machine
>

Unfortunately something stripped out what you were replying to,  Ioakim,
but I assume it was to Sviatoslav and his --require-hashes suggestion, in
which case that's what you're looking for if you want to verify what you
downloaded matches what PyPI has.

-- 
You received this message because you are subscribed to the Google Groups 
"pypa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pypa-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pypa-dev/CAP1%3D2W5YzPxkFaUeoe0%3Dsq%3DFi43HqRMWo0tay6LYYA8cUKXW9A%40mail.gmail.com.

Re: package verification

2019-07-26 Thread Ioakim Ioakim 
I am not sure. I am just looking to find where in the source code a package 
gets verified before being installed on a client's machine

-- 
You received this message because you are subscribed to the Google Groups 
"pypa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pypa-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pypa-dev/f9d87607-512b-4901-b4b6-f71213de2a71%40googlegroups.com.