Re: package verification

2019-07-28 Thread Ioakim Ioakim
thanks On Saturday, 27 July 2019 22:33:31 UTC+1, Chris Jerdonek wrote: > > On Fri, Jul 26, 2019 at 4:57 AM Ioakim Ioakim > wrote: > >> I am not sure. I am just looking to find where in the source code a >> package gets verified before being installed on a client's machine >> > > If you're using

Re: package verification

2019-07-27 Thread Chris Jerdonek
On Fri, Jul 26, 2019 at 4:57 AM Ioakim Ioakim wrote: > I am not sure. I am just looking to find where in the source code a > package gets verified before being installed on a client's machine > If you're using pip with e.g. --require-hashes, it looks like these (after a quick search) are the two

Re: package verification

2019-07-27 Thread Ioakim Ioakim
Thanks guys On Saturday, 27 July 2019 00:29:45 UTC+1, Ian Stapleton Cordasco wrote: > > To be clear, there is no verification or scanning of source code. Not is > there verification of origin. PyPI generates hashes that are used to verify > the integrity of what was uploaded there and then downl

Re: package verification

2019-07-26 Thread Ian Stapleton Cordasco
To be clear, there is no verification or scanning of source code. Not is there verification of origin. PyPI generates hashes that are used to verify the integrity of what was uploaded there and then downloaded Sent from my phone with my typo-happy thumbs. Please excuse my brevity On Fri, Jul 26,

Re: package verification

2019-07-26 Thread Brett Cannon
Sviatoslav On Fri, Jul 26, 2019 at 4:58 AM Ioakim Ioakim wrote: > I am not sure. I am just looking to find where in the source code a > package gets verified before being installed on a client's machine > Unfortunately something stripped out what you were replying to, Ioakim, but I assume it

Re: package verification

2019-07-26 Thread Ioakim Ioakim
I am not sure. I am just looking to find where in the source code a package gets verified before being installed on a client's machine -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it,

Re: package verification

2019-07-26 Thread Ioakim Ioakim
I am looking to find where in the source code a package gets verified before being installed on a client's machine -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to p

Re: package verification

2019-07-25 Thread Sviatoslav Sydorenko
Are you talking about `--require-hashes` in Pip? чт, 25 лип. 2019 о 19:30 Ioakim Ioakim пише: > Hi > > Does anyone know where in the source code a package gets verified before > being installed? > > Thanks > > -- > You received this message because you are subscribed to the Google Groups > "pypa