Log file Viewer
#pypa-dev logs for Thursday the 15th of October, 2015
[13:56:01] <xafer> Deleting old dead code and simplifying, feedbacks welcome: https://github.com/pypa/pip/pull/3187
[22:35:54] <dstufft> ErikRose: at this point, I'm not sure it makes sense to treat the local wheel cache as untrusted, though maybe we could add a side along file
[22:36:30] <dstufft> put the original hashes for the sdist in a hashes.json file or something in the wheel cache alongside the wheel
[22:39:38] <ErikRose> Hrrm, I'm not thrilled with that, because then we have a whole bunch of trust anchors: pip, the hashes, and the mutable circus in the cache folder.
[22:39:53] <ErikRose> And the hash-based bootstrapper, when it exists, only makes the pip one go away.
[22:40:27] <ErikRose> The more I talk about it, the more I favor simply ignoring the wheel cache. It's simple and safe.
[22:41:19] <ErikRose> Later, we could fix wheel building to be deterministic (though code that reads its own modtimes could break, but just Don't Do That), and people could have the option of turning on the wheel cache and adding a second set of hashes to their reqs file.