diff options
| author | Stéphane Bidoul <stephane.bidoul@gmail.com> | 2023-04-17 18:36:42 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-17 11:36:42 -0500 |
| commit | 3b8791f8411e4d8aedf5e759dbbd8bb82eff70fd (patch) | |
| tree | 99ab2ec05d1e35e92c8f3ac52b7a7fb01fe6e0a0 | |
| parent | b9c1097f14265c725327fb8a49a377837a2b9aea (diff) | |
| download | pip-3b8791f8411e4d8aedf5e759dbbd8bb82eff70fd.tar.gz | |
Update docs about hash checking and wheel cache (#11967)
| -rw-r--r-- | docs/html/topics/secure-installs.md | 12 | ||||
| -rw-r--r-- | news/11967.doc.rst | 2 |
2 files changed, 8 insertions, 6 deletions
diff --git a/docs/html/topics/secure-installs.md b/docs/html/topics/secure-installs.md index f012842b2..bda3c4485 100644 --- a/docs/html/topics/secure-installs.md +++ b/docs/html/topics/secure-installs.md @@ -59,13 +59,13 @@ It is possible to use multiple hashes for each package. This is important when a ### Interaction with caching -The {ref}`locally-built wheel cache <wheel-caching>` is disabled in hash-checking mode to prevent spurious hash mismatch errors. - -These would otherwise occur while installing sdists that had already been automatically built into cached wheels: those wheels would be selected for installation, but their hashes would not match the sdist ones from the requirements file. - -A further complication is that locally built wheels are nondeterministic: contemporary modification times make their way into the archive, making hashes unpredictable across machines and cache flushes. Compilation of C code adds further nondeterminism, as many compilers include random-seeded values in their output. +```{versionchanged} 23.1 +The {ref}`locally-built wheel cache <wheel-caching>` is used in hash-checking mode too. +``` -However, wheels fetched from index servers are required to be the same every time. They land in pip's HTTP cache, not its wheel cache, and are used normally in hash-checking mode. The only downside of having the wheel cache disabled is thus extra build time for sdists, and this can be solved by making sure pre-built wheels are available from the index server. +When installing from the cache of locally built wheels in hash-checking mode, pip verifies +the hashes against those of the original source distribution that was used to build the wheel. +These original hashes are obtained from a `origin.json` file stored in each cache entry. ### Using hashes from PyPI (or other index servers) diff --git a/news/11967.doc.rst b/news/11967.doc.rst new file mode 100644 index 000000000..4d9a23b03 --- /dev/null +++ b/news/11967.doc.rst @@ -0,0 +1,2 @@ +Update documentation to reflect the new behavior of using the cache of locally +built wheels in hash-checking mode. |