@@ -7,8 +7,7 @@ Recording the Direct URL Origin of installed distributions
77
88This document specifies a :file: `direct_url.json ` file in the
99:file: `*.dist-info ` directory of an installed distribution, to record the
10- Direct URL Origin of the distribution. The layout of this file was originally
11- specified in :pep: `610 ` and is formally documented here.
10+ Direct URL Origin of the distribution.
1211
1312.. contents :: Contents
1413 :local:
@@ -65,14 +64,33 @@ as a dictionary with the following keys:
6564 version of the source code that was installed.
6665
6766When ``url `` refers to a source archive or a wheel, the ``archive_info `` key
68- MUST be present as a dictionary with the following key:
69-
70- - A ``hash `` key (type ``string ``) SHOULD be present, with value
71- ``<hash-algorithm>=<expected-hash> ``.
72- It is RECOMMENDED that only hashes which are unconditionally provided by
73- the latest version of the standard library's ``hashlib `` module be used for
74- source archive hashes. At time of writing, that list consists of 'md5',
75- 'sha1', 'sha224', 'sha256', 'sha384', and 'sha512'.
67+ MUST be present as a dictionary with the following keys:
68+
69+ - A ``hashes `` key SHOULD be present as a dictionary mapping a hash name to a hex
70+ encoded digest of the file.
71+
72+ Multiple hashes can be included, and it is up to the consumer to decide what to do
73+ with multiple hashes (it may validate all of them or a subset of them, or nothing at
74+ all).
75+
76+ These hash names SHOULD always be normalized to be lowercase.
77+
78+ Any hash algorithm available via ``hashlib `` (specifically any that can be passed to
79+ ``hashlib.new() `` and do not require additional parameters) can be used as a key for
80+ the hashes dictionary. At least one secure algorithm from
81+ ``hashlib.algorithms_guaranteed `` SHOULD always be included. At time of writing,
82+ ``sha256 `` specifically is recommended.
83+
84+ - A deprecated ``hash `` key (type ``string ``) MAY be present for backwards compatibility
85+ purposes, with value ``<hash-algorithm>=<expected-hash> ``.
86+
87+ Producers of the data structure SHOULD emit the ``hashes `` key whether one or multiple
88+ hashes are available. Producers SHOULD continue to emit the ``hash `` key in contexts
89+ where they did so before, so as to keep backwards compatibility for existing clients.
90+
91+ When both the ``hash `` and ``hashes `` keys are present, the hash represented in the
92+ ``hash `` key MUST also be present in the ``hashes `` dictionary, so consumers can
93+ consider the ``hashes `` key only if it is present, and fall back to ``hash `` otherwise.
7694
7795When ``url `` refers to a local directory, the ``dir_info `` key MUST be
7896present as a dictionary with the following key:
@@ -234,7 +252,9 @@ Source archive:
234252 {
235253 "url": "https://github.com/pypa/pip/archive/1.3.1.zip",
236254 "archive_info": {
237- "hash": "sha256=2dc6b5a470a1bde68946f263f1af1515a2574a150a30d6ce02c6ff742fcc0db8"
255+ "hashes": {
256+ "sha256": "2dc6b5a470a1bde68946f263f1af1515a2574a150a30d6ce02c6ff742fcc0db8"
257+ }
238258 }
239259 }
240260
@@ -292,3 +312,11 @@ Commands that *do not* generate a ``direct_url.json``
292312
293313* ``pip install app ``
294314* ``pip install app --no-index --find-links https://example.com/ ``
315+
316+ History
317+ =======
318+
319+ - March 2020: the ``direct_url.json `` metadata file was originally specified in
320+ :pep: `610 ` and is formally documented here.
321+ - January 2023: Added the ``archive_info.hashes `` key
322+ (`discussion <https://discuss.python.org/t/22299 >`__).
0 commit comments