|
| 1 | +PEP: 9999 |
| 2 | +Title: Recording provenance of installed packages |
| 3 | +Author: Fridolin Pokorny <fridolin.pokorny at gmail.com>, Trishank Karthik Kuppusamy <karthik@trishank.com> |
| 4 | +Sponsor: Paul Moore <p.f.moore at gmail.com> |
| 5 | +PEP-Delegate: |
| 6 | +Discussions-To: https://discuss.python.org/t/pip-installation-reports/12316 |
| 7 | +Status: Draft |
| 8 | +Type: Process |
| 9 | +Content-Type: text/x-rst |
| 10 | +Created: 30-Jan-2002 |
| 11 | +Post-History: |
| 12 | + |
| 13 | + |
| 14 | +Abstract |
| 15 | +======== |
| 16 | + |
| 17 | +This PEP describes a way to record provenance of Python packages installed. |
| 18 | +The record is created by an installer and is available to users in a form of a |
| 19 | +JSON file ``direct_url.json`` in ``.dist-info`` directory. The PEP is an |
| 20 | +extension to :pep:`610` for cases when installed packages are comming from a |
| 21 | +package index. |
| 22 | + |
| 23 | + |
| 24 | +Motivation |
| 25 | +========== |
| 26 | + |
| 27 | +Installing a Python package involves downloading the package from a source and |
| 28 | +extracting its content to an appropriate place. After the installation process |
| 29 | +is done, information about the artifact used as well as its source is generally |
| 30 | +lost. Nevertheless, there are use cases for keeping records of artifacts used |
| 31 | +for installing packages and their provenance. |
| 32 | + |
| 33 | +Python wheels can be built with different compiler flags or supporting |
| 34 | +different wheel tags. In both cases, users might get into a situation in which |
| 35 | +multiple wheels might be considered by installers (possibly from different |
| 36 | +package indexes) and immediately finding out which artifact was actually used |
| 37 | +during the installation might be helpful. This way, tools reporting software |
| 38 | +installed, such as tools reporting SBOM (Software Bill of Material), might give |
| 39 | +more accurate reports. |
| 40 | + |
| 41 | +The motivation described in this PEP is a direct extension to :pep:`610`. |
| 42 | +Besides stating information about packages installed from an URL, installers |
| 43 | +SHOULD record information also for packages installed from Python package |
| 44 | +indexes or from filesystem. |
| 45 | + |
| 46 | + |
| 47 | +Examples |
| 48 | +======== |
| 49 | + |
| 50 | +An example of a ``direct_url.json`` file in the ``.dist-info`` directory |
| 51 | +alongside files stated in :pep:`376` and further adjusted in :pep:`627`. The |
| 52 | +specified file stores a JSON describing artifact used to install a package as |
| 53 | +well as its source. The record is similar to ``direct_url.json`` described in |
| 54 | +:pep:`610`: |
| 55 | + |
| 56 | +.. code:: |
| 57 | +
|
| 58 | + { |
| 59 | + "archive_info": { |
| 60 | + "hash": "sha256=714ac14496c3e68c99c29b00845f7a2b85f3bb6f1078fd9f72fd20f0570002b2" |
| 61 | + }, |
| 62 | + "url": "https://files.pythonhosted.org/packages/ed/35/a31aed2993e398f6b09a790a181a7927eb14610ee8bbf02dc14d31677f1c/packaging-23.0-py3-none-any.whl" |
| 63 | + } |
| 64 | +
|
| 65 | +If a source distribution was used to build a wheel file which was subsequently |
| 66 | +installed, the ``url`` must state URL to the source distribution used. |
| 67 | + |
| 68 | +For cases when a package is installed from a local directory, |
| 69 | +``direct_url.json`` SHOULD preserve path to the file used: |
| 70 | + |
| 71 | +.. code:: |
| 72 | +
|
| 73 | + { |
| 74 | + "archive_info": { |
| 75 | + "hash": "sha256=b9c46cc36662a7949f34b52d8ec7bb59c0d74ba08ba6cb9ce9adc1d8676d9526" |
| 76 | + }, |
| 77 | + "url": "file:///home/user/wheels/Flask-2.2.2-py3-none-any.whl" |
| 78 | + } |
| 79 | +
|
| 80 | +For installations when a package is installed by providing an URL, :pep:`610` is |
| 81 | +still applicable. |
| 82 | + |
| 83 | +In both cases, the JSON document is stating the following entries: |
| 84 | + |
| 85 | +* ``archive_info.hash`` MUST be present with a value of ``<hash-algorithm>=<expected-hash>``, |
| 86 | + currently supported hash algorithm is only ``sha256``. |
| 87 | + |
| 88 | +* ``url`` - MUST be present and points to source from where the package was obtained. |
| 89 | + The value MUST be stripped of any sensitive authentication information, for security |
| 90 | + reasons. |
| 91 | + |
| 92 | +Copyright |
| 93 | +========= |
| 94 | + |
| 95 | +This document is placed in the public domain or under the |
| 96 | +CC0-1.0-Universal license, whichever is more permissive. |
0 commit comments