You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
msgid "RECORD is a list of (almost) all the files in the wheel and their secure hashes. Unlike PEP 376, every file except RECORD, which cannot contain a hash of itself, must include its hash. The hash algorithm must be sha256 or better; specifically, md5 and sha1 are not permitted, as signed wheel files rely on the strong hashes in RECORD to validate the integrity of the archive."
8993
+
msgid "RECORD is a list of (almost) all the files in the wheel and their secure hashes. Unlike PEP 376, every file except RECORD, which cannot contain a hash of itself, must include its hash. The hash algorithm must be sha256 or better; specifically, md5 and sha1 are not permitted."
msgid "RECORD.p7s is allowed as a courtesy to anyone who would prefer to use S/MIME signatures to secure their wheel files. It is not mentioned in RECORD."
msgid "RECORD.jws and RECORD.p7s are deprecated. Where they are still used, neither RECORD.jws nor RECORD.p7s are mentioned in RECORD. Build backends and other tools must not add them to wheels anymore, installers should be aware that these files may still be part of some wheels."
msgid "During extraction, wheel installers verify all the hashes in RECORD against the file contents. Apart from RECORDand its signatures, installation will fail if any file in the archive is not both mentioned and correctly hashed in RECORD."
msgid "During extraction, wheel installers verify all the hashes in RECORD against the file contents. Apart from RECORD, RECORD.jws and RECORD.p7s, installation will fail if any file in the archive is not both mentioned and correctly hashed in RECORD."
msgid "Subdirectories under :file:`.dist-info/` are reserved for future use. The following subdirectory names under :file:`.dist-info/` are reserved for specific usage:"
msgid "If the metadata version is 2.4 or greater and one or more ``License-File`` fields is specified, the :file:`.dist-info/` directory MUST contain a :file:`licenses/` subdirectory, which MUST contain the files listed in the ``License-File`` fields in the :file:`METADATA` file at their respective paths relative to the :file:`licenses/` directory."
msgid "All files contained within the :file:`.dist-info/sboms/` directory MUST be Software Bill-of-Materials (SBOM) files that describe software contained within the distribution archive."
msgid "Any file that is not normally installed inside site-packages goes into the .data directory, named as the .dist-info directory but with the .data/ extension::"
msgid "The .data directory contains subdirectories with the scripts, headers, documentation and so forth from the distribution. During installation the contents of these subdirectories are moved onto their destination paths."
msgid "Wheel files include an extended RECORD that enables digital signatures. PEP 376's RECORD is altered to include a secure hash ``digestname=urlsafe_b64encode_nopad(digest)`` (urlsafe base64 encoding with no trailing = characters) as the second column instead of an md5sum. All possible entries are hashed, including any generated files such as .pyc files, but not RECORD which cannot contain its own hash. For example::"
msgid "The signature file(s) RECORD.jws and RECORD.p7s are not mentioned in RECORD at all since they can only be added after RECORD is generated. Every other file in the archive must have a correct hash in RECORD or the installation will fail."
msgid "If JSON web signatures are used, one or more JSON Web Signature JSON Serialization (JWS-JS) signatures is stored in a file RECORD.jws adjacent to RECORD. JWS is used to sign RECORD by including the SHA-256 hash of RECORD as the signature's JSON payload:"
msgid "A wheel installer is not required to understand digital signatures but MUST verify the hashes in RECORD against the extracted file contents. When the installer checks file hashes against RECORD, a separate signature checker only needs to establish that RECORD matches the signature."
msgid "This specification does not have an opinion on how you should organize your code. The .data directory is just a place for any files that are not normally installed inside ``site-packages`` or on the PYTHONPATH. In other words, you may continue to use ``pkgutil.get_data(package, resource)`` even though *those* files will usually not be distributed in *wheel's* ``.data`` directory."
msgid "Attached signatures are more convenient than detached signatures because they travel with the archive. Since only the individual files are signed, the archive can be recompressed without invalidating the signature or individual files can be verified without having to download the whole archive."
msgid "The JOSE specifications of which JWS is a part are designed to be easy to implement, a feature that is also one of wheel's primary design goals. JWS yields a useful, concise pure-Python implementation."
msgid "Wheel preserves the \"purelib\" vs. \"platlib\" distinction, which is significant on some platforms. For example, Fedora installs pure Python packages to '/usr/lib/pythonX.Y/site-packages' and platform dependent packages to '/usr/lib64/pythonX.Y/site-packages'."
msgid "A wheel with \"Root-Is-Purelib: false\" with all its files in ``{name}-{version}.data/purelib`` is equivalent to a wheel with \"Root-Is-Purelib: true\" with those same files in the root, and it is legal to have files in both the \"purelib\" and \"platlib\" categories."
msgid "In practice a wheel should have only one of \"purelib\" or \"platlib\" depending on whether it is pure Python or not and those files should be at the root with the appropriate setting given for \"Root-is-purelib\"."
msgid "Technically, due to the combination of supporting installation via simple extraction and using an archive format that is compatible with ``zipimport``, a subset of wheel files *do* support being placed directly on ``sys.path``. However, while this behaviour is a natural consequence of the format design, actually relying on it is generally discouraged."
msgid "Firstly, wheel *is* designed primarily as a distribution format, so skipping the installation step also means deliberately avoiding any reliance on features that assume full installation (such as being able to use standard tools like ``pip`` and ``virtualenv`` to capture and manage dependencies in a way that can be properly tracked for auditing and security update purposes, or integrating fully with the standard build machinery for C extensions by publishing header files in the appropriate place)."
msgid "Secondly, while some Python software is written to support running directly from a zip archive, it is still common for code to be written assuming it has been fully installed. When that assumption is broken by trying to run the software from a zip archive, the failures can often be obscure and hard to diagnose (especially when they occur in third party libraries). The two most common sources of problems with this are the fact that importing C extensions from a zip archive is *not* supported by CPython (since doing so is not supported directly by the dynamic loading machinery on any platform) and that when running from a zip archive the ``__file__`` attribute no longer refers to an ordinary filesystem path, but to a combination path that includes both the location of the zip archive on the filesystem and the relative path to the module inside the archive. Even when software correctly uses the abstract resource APIs internally, interfacing with external components may still require the availability of an actual on-disk file."
msgid "Like metaclasses, monkeypatching and metapath importers, if you're not already sure you need to take advantage of this feature, you almost certainly don't need it. If you *do* decide to use it anyway, be aware that many projects will require a failure to be reproduced with a fully installed package before accepting it as a genuine bug."
msgid "December 2024: Clarified that the ``scripts`` folder should only contain regular files (the expected behaviour of consuming tools when encountering symlinks or subdirectories in this folder is not formally defined, and hence may vary between tools)."
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments