On Fri, Jul 26, 2019 at 4:57 AM Ioakim Ioakim wrote:
> I am not sure. I am just looking to find where in the source code a
> package gets verified before being installed on a client's machine
>
If you're using pip with e.g. --require-hashes, it looks like these (after
a quick search) are the two
Thanks guys
On Saturday, 27 July 2019 00:29:45 UTC+1, Ian Stapleton Cordasco wrote:
>
> To be clear, there is no verification or scanning of source code. Not is
> there verification of origin. PyPI generates hashes that are used to verify
> the integrity of what was uploaded there and then downl
