> On Jan 29, 2019, at 9:43 AM, Paul Moore <p.f.mo...@gmail.com> wrote: > > But direct URLs to github repos are a different matter, and are > frankly just wrong - by their nature a github repo is a changing > object, and so will never map to a "specific artifact to install".
FWIW, Paul’s statement is supported by PEP 440 itself. PEP 440 states: ----- All direct references that do not refer to a local file URL SHOULD specify a secure transport mechanism (such as https) AND include an expected hash value in the URL for verification purposes. If a direct reference is specified without any hash information, with hash information that the tool doesn't understand, or with a selected hash algorithm that the tool considers too weak to trust, automated tools SHOULD at least emit a warning and MAY refuse to rely on the URL. ----- Which clearly suggests that the URLs are expected to be immutable (given that tooling should at least emit a warning if a hash isn’t included, and are permitted to error completely, and you can’t have a hash unless the target URL is immutable.
-- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/LAW3FYIKCY5DXHVZWHJ6AAG3UGGBKDH2/
