From 6f828c351f726a82450e861f33a4a065a9f4093d Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Fri, 9 Oct 2015 12:27:10 -0400 Subject: [PATCH] Correct and clarify docs and comments. --- docs/reference/pip_install.rst | 4 ++-- pip/download.py | 11 ++++++----- pip/req/req_install.py | 11 ++++++----- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/docs/reference/pip_install.rst b/docs/reference/pip_install.rst index 8b0e4ff2f..e7158528a 100644 --- a/docs/reference/pip_install.rst +++ b/docs/reference/pip_install.rst @@ -475,8 +475,8 @@ against any requirement not only checks that hash but also activates actor could slip bad code into the installation via one of the unhashed requirements. Note that hashes embedded in URL-style requirements via the ``#md5=...`` syntax suffice to satisfy this rule (regardless of hash - strength, for legacy reasons), though you use a stronger hash like sha256 - whenever possible. + strength, for legacy reasons), though you should use a stronger + hash like sha256 whenever possible. * Hashes are required for all dependencies. An error is raised if there is a dependency that is not spelled out and hashed in the requirements file. * Requirements that take the form of project names (rather than URLs or local diff --git a/pip/download.py b/pip/download.py index 05bfffd39..9573a33b0 100644 --- a/pip/download.py +++ b/pip/download.py @@ -674,10 +674,11 @@ def unpack_file_url(link, location, download_dir=None, hashes=None): logger.info('Link is a directory, ignoring download_dir') return - # If --require-hashes is off, `hashes` is either empty, the link hash, or - # MissingHashes, and it's required to match. If --require-hashes is on, we - # are satisfied by any hash in `hashes` matching: a URL-based or an - # option-based one; no internet-sourced hash will be in `hashes`. + # If --require-hashes is off, `hashes` is either empty, the + # link's embeddded hash, or MissingHashes; it is required to + # match. If --require-hashes is on, we are satisfied by any + # hash in `hashes` matching: a URL-based or an option-based + # one; no internet-sourced hash will be in `hashes`. if hashes: hashes.check_against_path(link_path) @@ -744,7 +745,7 @@ def unpack_url(link, location, download_dir=None, - if only_download, mark location for deletion :param hashes: A Hashes object, one of whose embedded hashes must match, - or I'll raise HashMismatch. If the Hashes is empty, no matches are + or HashMismatch will be raised. If the Hashes is empty, no matches are required, and unhashable types of requirements (like VCS ones, which would ordinarily raise HashUnsupported) are allowed. """ diff --git a/pip/req/req_install.py b/pip/req/req_install.py index 02e0ab9e3..f43ddc643 100644 --- a/pip/req/req_install.py +++ b/pip/req/req_install.py @@ -1038,11 +1038,12 @@ exec(compile( """Return a hash-comparer that considers my option- and URL-based hashes to be known-good. - Hashes in URLs are almost peers with ones from flags. They satisfy - --require-hashes (whether it was implicitly or explicitly activated) - but do not activate it. md5 and sha224 are not allowed in flags, which - should nudge people toward good algos. We always OR all hashes - together, even ones from URLs. + Hashes in URLs--ones embedded in the requirements file, not ones + downloaded from an index server--are almost peers with ones from + flags. They satisfy --require-hashes (whether it was implicitly or + explicitly activated) but do not activate it. md5 and sha224 are not + allowed in flags, which should nudge people toward good algos. We + always OR all hashes together, even ones from URLs. :param trust_internet: Whether to trust URL-based (#md5=...) hashes downloaded from the internet, as by populate_link()