Conversation
Signed-off-by: s-stumbo <sally.stumbo@chainguard.dev>
✅ Deploy Preview for ornate-narwhal-088216 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
matthewhelmke
left a comment
matthewhelmke
left a comment
There was a problem hiding this comment.
This is useful, thank you!!
LGTM
Co-authored-by: angela-zhang <30538317+angela-zhang@users.noreply.github.com> Signed-off-by: s-stumbo <100295939+s-stumbo@users.noreply.github.com>
Co-authored-by: angela-zhang <30538317+angela-zhang@users.noreply.github.com> Signed-off-by: s-stumbo <100295939+s-stumbo@users.noreply.github.com>
Co-authored-by: angela-zhang <30538317+angela-zhang@users.noreply.github.com> Signed-off-by: s-stumbo <100295939+s-stumbo@users.noreply.github.com>
mosabua
left a comment
mosabua
left a comment
There was a problem hiding this comment.
Good start but I think we need to flesh out what actually needs to be done with actual steps for each packaging tool and also keep in mind specific uses like pip with and without lock file.
Also .. we need to clarify more how to avoid using of cached packages .. not just in the repo manager but also locally on dev machines and in CI/CD clusters potentially.
| can expect different checksums for the same package version when migrating from | ||
| upstream PyPI to Chainguard Libraries: | ||
|
|
||
| - Tools such as `pip` enforce hashes when using `--require-hashes` or when hashes are pinned in requirements.txt files |
There was a problem hiding this comment.
I think it enforces hash verification (between lock file and downloaded file) .. not "enforce hashes" .. I am not sure what that even means
| upstream PyPI to Chainguard Libraries: | ||
|
|
||
| - Tools such as `pip` enforce hashes when using `--require-hashes` or when hashes are pinned in requirements.txt files | ||
| - Tools such as `Poetry` and `uv` generate lock files that include SHA-256 hashes and will fail if checksums don't match |
There was a problem hiding this comment.
Isn't that also the case for pip ?
Also dont use future "will fail" and detail what actually fails
|
|
||
| - Tools such as `pip` enforce hashes when using `--require-hashes` or when hashes are pinned in requirements.txt files | ||
| - Tools such as `Poetry` and `uv` generate lock files that include SHA-256 hashes and will fail if checksums don't match | ||
| - Systems such as JFrog Artifactory or Nexus may have cached upstream PyPI wheels and continue serving them until caches are cleared |
There was a problem hiding this comment.
| - Systems such as JFrog Artifactory or Nexus may have cached upstream PyPI wheels and continue serving them until caches are cleared | |
| - Repository managers such as JFrog Artifactory or Sonatype Nexus may have cached upstream wheels and continue serving them until caches are cleared |
Sure but that might or might not have an effect on their use .. so what are we saying here
|
|
||
| ## Hash verification when migrating to Chainguard Libraries | ||
|
|
||
| Because Chainguard rebuilds from source, there are some circumstances where you |
There was a problem hiding this comment.
I think checksums will be different in nearly all circumstances at least for Python so you might need to reword
|
|
||
| ### Resolving checksum mismatches | ||
|
|
||
| >Note: Before regenerating lock files, ensure your tool is configured to use Chainguard as the package index by following the [global configuration](chainguard/libraries/python/global-configuration/) or [direct access](/chainguard/libraries/python/build-configuration/#direct-access) documentation. |
There was a problem hiding this comment.
Not worth making a note of this .. jsut use a normal sentence
|
|
||
| >Note: Before regenerating lock files, ensure your tool is configured to use Chainguard as the package index by following the [global configuration](chainguard/libraries/python/global-configuration/) or [direct access](/chainguard/libraries/python/build-configuration/#direct-access) documentation. | ||
|
|
||
| To resolve hash mismatches, re-resolve your dependencies against Chainguard Libraries: |
There was a problem hiding this comment.
Resolve twice sound weird .. also I think we need to reword this along the lines of adjusting to the new checksum values and updating the lock files so build dont fail.
|
|
||
| To resolve hash mismatches, re-resolve your dependencies against Chainguard Libraries: | ||
|
|
||
| - For `--require-hashes`: install from Chainguard indexes, and then regenerate the requirements file with new hashes so they match Chainguard wheels. |
There was a problem hiding this comment.
The requirements file stays the same .. the lock file has to be changed
|
|
||
| To resolve hash mismatches, re-resolve your dependencies against Chainguard Libraries: | ||
|
|
||
| - For `--require-hashes`: install from Chainguard indexes, and then regenerate the requirements file with new hashes so they match Chainguard wheels. |
There was a problem hiding this comment.
Also .. don't use the term "Chainguard indexes" or "Chainguard wheels" ..
use Chainguard Libraries for Python as product name or just talk about the indexes maybe
and instead of wheels talk about Python packages (since we also do sdists and so)
| - For `uv`, Poetry, or other tools that generate lockfiles: Point them at Chainguard indexes, and then regenerate the lockfile so stored hashes correspond to Chainguard artifacts. | ||
| - For repository managers: You may also need to clear cached PyPI artifacts to ensure future installs pull Chainguard's versions. | ||
|
|
||
| >**Note:** While hash mismatches from are expected for some tooling and |
| A Sigstore bundle is a self‑contained JSON file that packages everything needed | ||
| to verify the authenticity and integrity of a signed artifact. | ||
|
|
||
| A [Sigstore bundle file](https://docs.sigstore.dev/about/bundle/) is available |
There was a problem hiding this comment.
Move that link up to first sentence I guess
4 participants
[ ] Check if this is a typo or other quick fix and ignore the rest :)
Type of change
Add new section about hash verification to Python Library docs
What should this PR do?
Add content about checksum mismatches that could affect Python configurations
Why are we making this change?
Customers have reached out about this issue during migration