-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discussion: Should pypiserver switch default hash algorithm to sha256? #452
Comments
🙏 thank you @jayeff for opening this issue. We have our own instance of pypiserver and would like to upgrade poetry from 1.1.15 to 1.2.0. If there is a command to update the hashes (from md5 to sha256) in the pypiserver side, I am also interested. |
Hello @jayeff and @lucsorel for bringing this up! That's a very important point and I also see the importance of going towards @lucsorel I believe that restarting the |
thank you very much @dee-me-tree-or-love for your answer. Just to make sure about your advice of restarting the server with If I should update the |
Hey @lucsorel, happy to hear this may be helpful! That's a good point 😅 I am not too familiar with the internals of Could you share if it works as needed if you give it a try? :) |
That is a good lead to follow 👍
Yes, that may happen next week, after the holidays. And I will give some feedback here for the other interested people |
Hey @lucsorel, this sounds great! Yes, of course, any insights will be very much appreciated! :) Thanks a good luck there ✌️ |
I validated this for our switch and this works without issues. Restart pypiserver with
Yes, it will.
Yes, it is 😊
I did not try this. For our case I did run On more thing: When we upgraded some unrelated packages afterwards the old md5 hashes did find their way back into the poetry.lock file. I did not do a detailed analysis why this happened but my working theory is that it pulled the md5-hashes from locally cached packages. After clearing the poetry cache md5-hashes were gone. Alternatively you could consider bumping versions for all packages served from your pypiserver. This should install new packages with sha256 hashes in your local poetry caches. Hope this helps |
🙏 thank you @jayeff for your detailed contribution 😃 |
@dee-me-tree-or-love may I suggest that rather than trying to shoehorn everything into a single large breaking release that you instead start doing smaller breaking changes and not be scared to have I've been a maintainer on a lot of open source projects and found over time that's a much more successful route to actually getting things shipped. For example you could ship this here, and then in |
@jeffwidman thanks a lot for the suggestion! Of course, I fully agree that's definitely a good idea! In fact I've been quite unhappy with my release frequency (sadly often linked to my availability 🙈) in general over the past times. So I'm certainly aiming to increase the cadence by enabling faster changes but still keeping an eye at long-term support :) I'd be very happy to hear some more tips from your experience! :) I'm aiming to open a new announcement regarding the releases soon, so if you could chime in there, I'd really appreciate. I'll give you a ping then :) Hope that sounds alright? |
@jayeff thanks a lot for your PR! That's a great step ⛰️ I have one related idea: before releasing 2.0.0 I'd like to add a little warning log message & a brief migration guide for projects relying on |
Current default configuration of pypiserver does no longer work with poetry >= 1.2 as pypiserver uses md5 by default for hashing. There is an open issue for this here: python-poetry/poetry#6301 (and workaround with using
--hash-algo=sha256
here: python-poetry/poetry#4523 (comment)).This may still be fixed by a future release of poetry. Still I wonder if it would be useful to switch the default hashing algorithm to sha256 as this is current recommendation by PEP 503
(note: highlight is mine)
Changing the algorithm would be a breaking change
The text was updated successfully, but these errors were encountered: