Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optionally don't write a RECORD file #246

Open
rossburton opened this issue Oct 21, 2024 · 4 comments
Open

Optionally don't write a RECORD file #246

rossburton opened this issue Oct 21, 2024 · 4 comments
Labels
component: records Related to installer.records type: feature A self-contained enhancement or new feature

Comments

@rossburton
Copy link

rossburton commented Oct 21, 2024
edited
Loading

The RECORD file is a partial list of files in the wheel and their hashes. Quoting from PEP 0491:

RECORD is a list of (almost) all the files in the wheel and their secure hashes. Unlike PEP 376, every file except RECORD, which cannot contain a hash of itself, must include its hash. The hash algorithm must be sha256 or better; specifically, md5 and sha1 are not permitted, as signed wheel files rely on the strong hashes in RECORD to validate the integrity of the archive.

It's incredibly useful to have this inside the wheel at installation time, but if the target is not going to be managed by a python package manager then it's just pointless. For example, a Linux distribution package of Python won't need the RECORD file: it already has tooling for the list of files and their hashes.

The rationale to remove the file entirely instead of just ignoring it is that when the file is present, pip thinks it can use it. This means sudo pip can remove files from the system packages, which is asking for trouble.

Interesting prior art:

Instead of these tools having to go in and remove files, it would be nice if installer had an option to stop it writing the file in the first place.
@rossburton
Copy link
Author

Fedora also removes the RECORD file: https://src.fedoraproject.org/rpms/pyproject-rpm-macros/blob/rawhide/f/macros.pyproject#_105.

@Secrus
Copy link
Member

Secrus commented Nov 6, 2024

Personally, I don't think we should do that. I understand that some Linux distributions might delete that file, but it is part of the standard, and adding an option to bypass it might encourage people to operate outside of standards.

@Secrus Secrus added type: feature A self-contained enhancement or new feature component: records Related to installer.records labels Nov 6, 2024
@rossburton
Copy link
Author

Put Yocto/OpenEmbedded on the list of distributions which manually nuke this file: https://lore.kernel.org/openembedded-core/[email protected]/T/#t.

@Secrus
Copy link
Member

Secrus commented Nov 21, 2024

@pradyunsg your opinion? I think it wouldn't be a good option to add.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: records Related to installer.records type: feature A self-contained enhancement or new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rossburton @Secrus