Python
/
uv
mirror of https://github.com/astral-sh/uv
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Turn `--verify-hashes` on by default (#9170) 

Fixes #9164

Using clap's `default_value_t` makes the `flag` function unhappy, so
just set the default when we unwrap. Tested with no flags,
`--verify-hashes`, `--no-verify-hashes` and setting in uv.toml

---------

Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
This commit is contained in:
Shantanu 2024-11-17 17:57:54 -08:00 committed by GitHub
parent 5ba186628b
commit 71d9c45393
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 1013 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
crates/uv-cli/src/lib.rs
View File

@ -1263,9 +1263,12 @@ pub struct PipSyncArgs {
/// Require a matching hash for each requirement.
///
/// Hash-checking mode is all or nothing. If enabled, _all_ requirements must be provided
/// with a corresponding hash or set of hashes. Additionally, if enabled, _all_ requirements
/// must either be pinned to exact versions (e.g., `==1.0.0`), or be specified via direct URL.
/// By default, uv will verify any available hashes in the requirements file, but will not
/// require that all requirements have an associated hash.
///
/// When `--require-hashes` is enabled, _all_ requirements must include a hash or set of hashes,
/// and _all_ requirements must either be pinned to exact versions (e.g., `==1.0.0`), or be
/// specified via direct URL.
///
/// Hash-checking mode introduces a number of additional constraints:
///
@ -1284,20 +1287,20 @@ pub struct PipSyncArgs {
#[arg(long, overrides_with("require_hashes"), hide = true)]
pub no_require_hashes: bool,
/// Validate any hashes provided in the requirements file.
///
/// Unlike `--require-hashes`, `--verify-hashes` does not require that all requirements have
/// hashes; instead, it will limit itself to verifying the hashes of those requirements that do
/// include them.
#[arg(
long,
env = EnvVars::UV_VERIFY_HASHES,
value_parser = clap::builder::BoolishValueParser::new(),
overrides_with("no_verify_hashes"),
)]
#[arg(long, overrides_with("no_verify_hashes"), hide = true)]
pub verify_hashes: bool,
#[arg(long, overrides_with("verify_hashes"), hide = true)]
/// Disable validation of hashes in the requirements file.
///
/// By default, uv will verify any available hashes in the requirements file, but will not
/// require that all requirements have an associated hash. To enforce hash validation, use
/// `--require-hashes`.
#[arg(
long,
env = EnvVars::UV_NO_VERIFY_HASHES,
value_parser = clap::builder::BoolishValueParser::new(),
overrides_with("verify_hashes"),
)]
pub no_verify_hashes: bool,
/// The Python interpreter into which packages should be installed.
@ -1546,9 +1549,12 @@ pub struct PipInstallArgs {
/// Require a matching hash for each requirement.
///
/// Hash-checking mode is all or nothing. If enabled, _all_ requirements must be provided
/// with a corresponding hash or set of hashes. Additionally, if enabled, _all_ requirements
/// must either be pinned to exact versions (e.g., `==1.0.0`), or be specified via direct URL.
/// By default, uv will verify any available hashes in the requirements file, but will not
/// require that all requirements have an associated hash.
///
/// When `--require-hashes` is enabled, _all_ requirements must include a hash or set of hashes,
/// and _all_ requirements must either be pinned to exact versions (e.g., `==1.0.0`), or be
/// specified via direct URL.
///
/// Hash-checking mode introduces a number of additional constraints:
///
@ -1567,20 +1573,20 @@ pub struct PipInstallArgs {
#[arg(long, overrides_with("require_hashes"), hide = true)]
pub no_require_hashes: bool,
/// Validate any hashes provided in the requirements file.
///
/// Unlike `--require-hashes`, `--verify-hashes` does not require that all requirements have
/// hashes; instead, it will limit itself to verifying the hashes of those requirements that do
/// include them.
#[arg(
long,
env = EnvVars::UV_VERIFY_HASHES,
value_parser = clap::builder::BoolishValueParser::new(),
overrides_with("no_verify_hashes"),
)]
#[arg(long, overrides_with("no_verify_hashes"), hide = true)]
pub verify_hashes: bool,
#[arg(long, overrides_with("verify_hashes"), hide = true)]
/// Disable validation of hashes in the requirements file.
///
/// By default, uv will verify any available hashes in the requirements file, but will not
/// require that all requirements have an associated hash. To enforce hash validation, use
/// `--require-hashes`.
#[arg(
long,
env = EnvVars::UV_NO_VERIFY_HASHES,
value_parser = clap::builder::BoolishValueParser::new(),
overrides_with("verify_hashes"),
)]
pub no_verify_hashes: bool,
/// The Python interpreter into which packages should be installed.
@ -2177,12 +2183,14 @@ pub struct BuildArgs {
#[arg(long, short, env = EnvVars::UV_BUILD_CONSTRAINT, value_delimiter = ' ', value_parser = parse_maybe_file_path)]
pub build_constraint: Vec<Maybe<PathBuf>>,
/// Require a matching hash for each build requirement.
/// Require a matching hash for each requirement.
///
/// Hash-checking mode is all or nothing. If enabled, _all_ build requirements must be provided
/// with a corresponding hash or set of hashes via the `--build-constraint` argument.
/// Additionally, if enabled, _all_ requirements must either be pinned to exact versions
/// (e.g., `==1.0.0`), or be specified via direct URL.
/// By default, uv will verify any available hashes in the requirements file, but will not
/// require that all requirements have an associated hash.
///
/// When `--require-hashes` is enabled, _all_ requirements must include a hash or set of hashes,
/// and _all_ requirements must either be pinned to exact versions (e.g., `==1.0.0`), or be
/// specified via direct URL.
///
/// Hash-checking mode introduces a number of additional constraints:
///
@ -2201,20 +2209,20 @@ pub struct BuildArgs {
#[arg(long, overrides_with("require_hashes"), hide = true)]
pub no_require_hashes: bool,
/// Validate any hashes provided in the build constraints file.
///
/// Unlike `--require-hashes`, `--verify-hashes` does not require that all requirements have
/// hashes; instead, it will limit itself to verifying the hashes of those requirements that do
/// include them.
#[arg(
long,
env = EnvVars::UV_VERIFY_HASHES,
value_parser = clap::builder::BoolishValueParser::new(),
overrides_with("no_verify_hashes"),
)]
#[arg(long, overrides_with("no_verify_hashes"), hide = true)]
pub verify_hashes: bool,
#[arg(long, overrides_with("verify_hashes"), hide = true)]
/// Disable validation of hashes in the requirements file.
///
/// By default, uv will verify any available hashes in the requirements file, but will not
/// require that all requirements have an associated hash. To enforce hash validation, use
/// `--require-hashes`.
#[arg(
long,
env = EnvVars::UV_NO_VERIFY_HASHES,
value_parser = clap::builder::BoolishValueParser::new(),
overrides_with("verify_hashes"),
)]
pub no_verify_hashes: bool,
/// The Python interpreter to use for the build environment.

21
crates/uv-configuration/src/hash.rs
View File

@ -9,13 +9,26 @@ pub enum HashCheckingMode {
impl HashCheckingMode {
/// Return the [`HashCheckingMode`] from the command-line arguments, if any.
pub fn from_args(require_hashes: bool, verify_hashes: bool) -> Option<Self> {
if require_hashes {
///
/// By default, the hash checking mode is [`HashCheckingMode::Verify`]. If `--require-hashes` is
/// passed, the hash checking mode is [`HashCheckingMode::Require`]. If `--no-verify-hashes` is
/// passed, then no hash checking is performed.
pub fn from_args(require_hashes: Option<bool>, verify_hashes: Option<bool>) -> Option<Self> {
if require_hashes == Some(true) {
// Given `--require-hashes`, always require hashes, regardless of any other flags.
Some(Self::Require)
} else if verify_hashes {
} else if verify_hashes == Some(true) {
// Given `--verify-hashes`, always verify hashes, regardless of any other flags.
Some(Self::Verify)
} else {
} else if verify_hashes == Some(false) {
// Given `--no-verify-hashes` (without `--require-hashes`), do not verify hashes.
None
} else if require_hashes == Some(false) {
// Given `--no-require-hashes` (without `--verify-hashes`), do not require hashes.
None
} else {
// By default, verify hashes.
Some(Self::Verify)
}
}

2
crates/uv-settings/src/settings.rs
View File

@ -1348,7 +1348,7 @@ pub struct PipOptions {
/// hashes; instead, it will limit itself to verifying the hashes of those requirements that do
/// include them.
#[option(
default = "false",
default = "true",
value_type = "bool",
example = r#"
verify-hashes = true

5
crates/uv-static/src/env_vars.rs
View File

@ -167,8 +167,9 @@ impl EnvVars {
/// Equivalent to the `--token` argument for self update. A GitHub token for authentication.
pub const UV_GITHUB_TOKEN: &'static str = "UV_GITHUB_TOKEN";
/// Equivalent to the `--verify-hashes` argument. Verifies included hashes.
pub const UV_VERIFY_HASHES: &'static str = "UV_VERIFY_HASHES";
/// Equivalent to the `--no-verify-hashes` argument. Disables hash verification for
/// `requirements.txt` files.
pub const UV_NO_VERIFY_HASHES: &'static str = "UV_VERIFY_HASHES";
/// Equivalent to the `--allow-insecure-host` argument.
pub const UV_INSECURE_HOST: &'static str = "UV_INSECURE_HOST";

12
crates/uv/src/settings.rs
View File

@ -2003,8 +2003,8 @@ impl BuildSettings {
.filter_map(Maybe::into_option)
.collect(),
hash_checking: HashCheckingMode::from_args(
flag(require_hashes, no_require_hashes).unwrap_or_default(),
flag(verify_hashes, no_verify_hashes).unwrap_or_default(),
flag(require_hashes, no_require_hashes),
flag(verify_hashes, no_verify_hashes),
),
python: python.and_then(Maybe::into_option),
refresh: Refresh::from(refresh),
@ -2641,12 +2641,8 @@ impl PipSettings {
.unwrap_or_default(),
link_mode: args.link_mode.combine(link_mode).unwrap_or_default(),
hash_checking: HashCheckingMode::from_args(
args.require_hashes
.combine(require_hashes)
.unwrap_or_default(),
args.verify_hashes
.combine(verify_hashes)
.unwrap_or_default(),
args.require_hashes.combine(require_hashes),
args.verify_hashes.combine(verify_hashes),
),
python: args.python.combine(python),
system: args.system.combine(system).unwrap_or_default(),

97
crates/uv/tests/it/build.rs
View File

@ -1447,103 +1447,40 @@ fn sha() -> Result<()> {
project.child("src").child("__init__.py").touch()?;
project.child("README").touch()?;
// Ignore an incorrect hash, if `--require-hashes` is not provided.
// Reject an incorrect hash.
let constraints = project.child("constraints.txt");
constraints.write_str("setuptools==68.2.2 --hash=sha256:a248cb506794bececcddeddb1678bc722f9cfcacf02f98f7c0af6b9ed893caf2")?;
uv_snapshot!(&filters, context.build().arg("--build-constraint").arg("constraints.txt").current_dir(&project), @r###"
success: true
exit_code: 0
success: false
exit_code: 2
----- stdout -----
----- stderr -----
Building source distribution...
running egg_info
creating src/project.egg-info
writing src/project.egg-info/PKG-INFO
writing dependency_links to src/project.egg-info/dependency_links.txt
writing requirements to src/project.egg-info/requires.txt
writing top-level names to src/project.egg-info/top_level.txt
writing manifest file 'src/project.egg-info/SOURCES.txt'
reading manifest file 'src/project.egg-info/SOURCES.txt'
writing manifest file 'src/project.egg-info/SOURCES.txt'
running sdist
running egg_info
writing src/project.egg-info/PKG-INFO
writing dependency_links to src/project.egg-info/dependency_links.txt
writing requirements to src/project.egg-info/requires.txt
writing top-level names to src/project.egg-info/top_level.txt
reading manifest file 'src/project.egg-info/SOURCES.txt'
writing manifest file 'src/project.egg-info/SOURCES.txt'
running check
creating project-0.1.0
creating project-0.1.0/src
creating project-0.1.0/src/project.egg-info
copying files to project-0.1.0...
copying README -> project-0.1.0
copying pyproject.toml -> project-0.1.0
copying src/__init__.py -> project-0.1.0/src
copying src/project.egg-info/PKG-INFO -> project-0.1.0/src/project.egg-info
copying src/project.egg-info/SOURCES.txt -> project-0.1.0/src/project.egg-info
copying src/project.egg-info/dependency_links.txt -> project-0.1.0/src/project.egg-info
copying src/project.egg-info/requires.txt -> project-0.1.0/src/project.egg-info
copying src/project.egg-info/top_level.txt -> project-0.1.0/src/project.egg-info
Writing project-0.1.0/setup.cfg
Creating tar archive
removing 'project-0.1.0' (and everything under it)
Building wheel from source distribution...
running egg_info
writing src/project.egg-info/PKG-INFO
writing dependency_links to src/project.egg-info/dependency_links.txt
writing requirements to src/project.egg-info/requires.txt
writing top-level names to src/project.egg-info/top_level.txt
reading manifest file 'src/project.egg-info/SOURCES.txt'
writing manifest file 'src/project.egg-info/SOURCES.txt'
running bdist_wheel
running build
running build_py
creating build
creating build/lib
copying src/__init__.py -> build/lib
running egg_info
writing src/project.egg-info/PKG-INFO
writing dependency_links to src/project.egg-info/dependency_links.txt
writing requirements to src/project.egg-info/requires.txt
writing top-level names to src/project.egg-info/top_level.txt
reading manifest file 'src/project.egg-info/SOURCES.txt'
writing manifest file 'src/project.egg-info/SOURCES.txt'
installing to build/bdist.linux-x86_64/wheel
running install
running install_lib
creating build/bdist.linux-x86_64
creating build/bdist.linux-x86_64/wheel
copying build/lib/__init__.py -> build/bdist.linux-x86_64/wheel
running install_egg_info
Copying src/project.egg-info to build/bdist.linux-x86_64/wheel/project-0.1.0-py3.8.egg-info
running install_scripts
creating build/bdist.linux-x86_64/wheel/project-0.1.0.dist-info/WHEEL
creating '[TEMP_DIR]/project/dist/[TMP]/wheel' to it
adding '__init__.py'
adding 'project-0.1.0.dist-info/METADATA'
adding 'project-0.1.0.dist-info/WHEEL'
adding 'project-0.1.0.dist-info/top_level.txt'
adding 'project-0.1.0.dist-info/RECORD'
removing build/bdist.linux-x86_64/wheel
Successfully built dist/project-0.1.0.tar.gz and dist/project-0.1.0-py3-none-any.whl
error: Failed to install requirements from `build-system.requires`
Caused by: Failed to download `setuptools==68.2.2`
Caused by: Hash mismatch for `setuptools==68.2.2`
Expected:
sha256:a248cb506794bececcddeddb1678bc722f9cfcacf02f98f7c0af6b9ed893caf2
Computed:
sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a
"###);
project
.child("dist")
.child("project-0.1.0.tar.gz")
.assert(predicate::path::is_file());
.assert(predicate::path::missing());
project
.child("dist")
.child("project-0.1.0-py3-none-any.whl")
.assert(predicate::path::is_file());
.assert(predicate::path::missing());
fs_err::remove_dir_all(project.child("dist"))?;
// Reject an incorrect hash.
// Reject an incorrect hash with --requires-hashes.
uv_snapshot!(&filters, context.build().arg("--build-constraint").arg("constraints.txt").arg("--require-hashes").current_dir(&project), @r###"
success: false
exit_code: 2
@ -1598,6 +1535,8 @@ fn sha() -> Result<()> {
.child("project-0.1.0-py3-none-any.whl")
.assert(predicate::path::missing());
fs_err::remove_dir_all(project.child("dist"))?;
// Accept a correct hash.
let constraints = project.child("constraints.txt");
constraints.write_str("setuptools==68.2.2 --hash=sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a")?;
@ -1610,10 +1549,12 @@ fn sha() -> Result<()> {
----- stderr -----
Building source distribution...
running egg_info
creating src/project.egg-info
writing src/project.egg-info/PKG-INFO
writing dependency_links to src/project.egg-info/dependency_links.txt
writing requirements to src/project.egg-info/requires.txt
writing top-level names to src/project.egg-info/top_level.txt
writing manifest file 'src/project.egg-info/SOURCES.txt'
reading manifest file 'src/project.egg-info/SOURCES.txt'
writing manifest file 'src/project.egg-info/SOURCES.txt'
running sdist

38
crates/uv/tests/it/pip_install.rs
View File

@ -6241,6 +6241,44 @@ fn verify_hashes_mismatch() -> Result<()> {
"###
);
uv_snapshot!(context.pip_install()
.arg("-r")
.arg("requirements.txt"), @r###"
success: false
exit_code: 1
----- stdout -----
----- stderr -----
Resolved 3 packages in [TIME]
× Failed to download `anyio==4.0.0`
Hash mismatch for `anyio==4.0.0`
Expected:
sha256:afdb2b588b9fc25ede96d8db56ed50848b0b649dca3dd1df0b11f683bb9e0b5f
sha256:a7ed51751b2c2add651e5747c891b47e26d2a21be5d32d9311dfe9692f3e5d7a
Computed:
sha256:cfdb2b588b9fc25ede96d8db56ed50848b0b649dca3dd1df0b11f683bb9e0b5f
"###
);
uv_snapshot!(context.pip_install()
.arg("-r")
.arg("requirements.txt")
.arg("--no-verify-hashes"), @r###"
success: true
exit_code: 0
----- stdout -----
----- stderr -----
Resolved 3 packages in [TIME]
Installed 3 packages in [TIME]
+ anyio==4.0.0
+ idna==3.6
+ sniffio==1.3.1
"###
);
Ok(())
}

873
crates/uv/tests/it/show_settings.rs
View File

File diff suppressed because it is too large Load Diff

9
docs/configuration/environment.md
View File

@ -188,6 +188,11 @@ Disables all progress output. For example, spinners and progress bars.
Equivalent to the `--no-sync` command-line argument. If set, uv will skip updating
the environment.
### `UV_NO_VERIFY_HASHES`
Equivalent to the `--no-verify-hashes` argument. Disables hash verification for
`requirements.txt` files.
### `UV_NO_WRAP`
Use to disable line wrapping for diagnostics.
@ -317,10 +322,6 @@ Specifies the directory where uv stores managed tools.
Used ephemeral environments like CI to install uv to a specific path while preventing
the installer from modifying shell profiles or environment variables.
### `UV_VERIFY_HASHES`
Equivalent to the `--verify-hashes` argument. Verifies included hashes.
## Externally defined variables

44
docs/reference/cli.md
View File

@ -5753,6 +5753,11 @@ uv pip sync [OPTIONS] <SRC_FILE>...
</dd><dt><code>--no-sources</code></dt><dd><p>Ignore the <code>tool.uv.sources</code> table when resolving dependencies. Used to lock against the standards-compliant, publishable package metadata, as opposed to using any local or Git sources</p>
</dd><dt><code>--no-verify-hashes</code></dt><dd><p>Disable validation of hashes in the requirements file.</p>
<p>By default, uv will verify any available hashes in the requirements file, but will not require that all requirements have an associated hash. To enforce hash validation, use <code>--require-hashes</code>.</p>
<p>May also be set with the <code>UV_VERIFY_HASHES</code> environment variable.</p>
</dd><dt><code>--offline</code></dt><dd><p>Disable network access.</p>
<p>When disabled, uv will only use locally cached data and locally available files.</p>
@ -5859,7 +5864,9 @@ uv pip sync [OPTIONS] <SRC_FILE>...
</dd><dt><code>--require-hashes</code></dt><dd><p>Require a matching hash for each requirement.</p>
<p>Hash-checking mode is all or nothing. If enabled, <em>all</em> requirements must be provided with a corresponding hash or set of hashes. Additionally, if enabled, <em>all</em> requirements must either be pinned to exact versions (e.g., <code>==1.0.0</code>), or be specified via direct URL.</p>
<p>By default, uv will verify any available hashes in the requirements file, but will not require that all requirements have an associated hash.</p>
<p>When <code>--require-hashes</code> is enabled, <em>all</em> requirements must include a hash or set of hashes, and <em>all</em> requirements must either be pinned to exact versions (e.g., <code>==1.0.0</code>), or be specified via direct URL.</p>
<p>Hash-checking mode introduces a number of additional constraints:</p>
@ -5883,11 +5890,6 @@ uv pip sync [OPTIONS] <SRC_FILE>...
<p>You can configure fine-grained logging using the <code>RUST_LOG</code> environment variable. (&lt;https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives&gt;)</p>
</dd><dt><code>--verify-hashes</code></dt><dd><p>Validate any hashes provided in the requirements file.</p>
<p>Unlike <code>--require-hashes</code>, <code>--verify-hashes</code> does not require that all requirements have hashes; instead, it will limit itself to verifying the hashes of those requirements that do include them.</p>
<p>May also be set with the <code>UV_VERIFY_HASHES</code> environment variable.</p>
</dd><dt><code>--version</code>, <code>-V</code></dt><dd><p>Display the uv version</p>
</dd></dl>
@ -6128,6 +6130,11 @@ uv pip install [OPTIONS] <PACKAGE|--requirement <REQUIREMENT>|--editable <EDITAB
</dd><dt><code>--no-sources</code></dt><dd><p>Ignore the <code>tool.uv.sources</code> table when resolving dependencies. Used to lock against the standards-compliant, publishable package metadata, as opposed to using any local or Git sources</p>
</dd><dt><code>--no-verify-hashes</code></dt><dd><p>Disable validation of hashes in the requirements file.</p>
<p>By default, uv will verify any available hashes in the requirements file, but will not require that all requirements have an associated hash. To enforce hash validation, use <code>--require-hashes</code>.</p>
<p>May also be set with the <code>UV_VERIFY_HASHES</code> environment variable.</p>
</dd><dt><code>--offline</code></dt><dd><p>Disable network access.</p>
<p>When disabled, uv will only use locally cached data and locally available files.</p>
@ -6259,7 +6266,9 @@ uv pip install [OPTIONS] <PACKAGE|--requirement <REQUIREMENT>|--editable <EDITAB
</dd><dt><code>--require-hashes</code></dt><dd><p>Require a matching hash for each requirement.</p>
<p>Hash-checking mode is all or nothing. If enabled, <em>all</em> requirements must be provided with a corresponding hash or set of hashes. Additionally, if enabled, <em>all</em> requirements must either be pinned to exact versions (e.g., <code>==1.0.0</code>), or be specified via direct URL.</p>
<p>By default, uv will verify any available hashes in the requirements file, but will not require that all requirements have an associated hash.</p>
<p>When <code>--require-hashes</code> is enabled, <em>all</em> requirements must include a hash or set of hashes, and <em>all</em> requirements must either be pinned to exact versions (e.g., <code>==1.0.0</code>), or be specified via direct URL.</p>
<p>Hash-checking mode introduces a number of additional constraints:</p>
@ -6307,11 +6316,6 @@ uv pip install [OPTIONS] <PACKAGE|--requirement <REQUIREMENT>|--editable <EDITAB
<p>You can configure fine-grained logging using the <code>RUST_LOG</code> environment variable. (&lt;https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives&gt;)</p>
</dd><dt><code>--verify-hashes</code></dt><dd><p>Validate any hashes provided in the requirements file.</p>
<p>Unlike <code>--require-hashes</code>, <code>--verify-hashes</code> does not require that all requirements have hashes; instead, it will limit itself to verifying the hashes of those requirements that do include them.</p>
<p>May also be set with the <code>UV_VERIFY_HASHES</code> environment variable.</p>
</dd><dt><code>--version</code>, <code>-V</code></dt><dd><p>Display the uv version</p>
</dd></dl>
@ -7721,6 +7725,11 @@ uv build [OPTIONS] [SRC]
</dd><dt><code>--no-sources</code></dt><dd><p>Ignore the <code>tool.uv.sources</code> table when resolving dependencies. Used to lock against the standards-compliant, publishable package metadata, as opposed to using any local or Git sources</p>
</dd><dt><code>--no-verify-hashes</code></dt><dd><p>Disable validation of hashes in the requirements file.</p>
<p>By default, uv will verify any available hashes in the requirements file, but will not require that all requirements have an associated hash. To enforce hash validation, use <code>--require-hashes</code>.</p>
<p>May also be set with the <code>UV_VERIFY_HASHES</code> environment variable.</p>
</dd><dt><code>--offline</code></dt><dd><p>Disable network access.</p>
<p>When disabled, uv will only use locally cached data and locally available files.</p>
@ -7792,9 +7801,11 @@ uv build [OPTIONS] [SRC]
</dd><dt><code>--refresh-package</code> <i>refresh-package</i></dt><dd><p>Refresh cached data for a specific package</p>
</dd><dt><code>--require-hashes</code></dt><dd><p>Require a matching hash for each build requirement.</p>
</dd><dt><code>--require-hashes</code></dt><dd><p>Require a matching hash for each requirement.</p>
<p>Hash-checking mode is all or nothing. If enabled, <em>all</em> build requirements must be provided with a corresponding hash or set of hashes via the <code>--build-constraint</code> argument. Additionally, if enabled, <em>all</em> requirements must either be pinned to exact versions (e.g., <code>==1.0.0</code>), or be specified via direct URL.</p>
<p>By default, uv will verify any available hashes in the requirements file, but will not require that all requirements have an associated hash.</p>
<p>When <code>--require-hashes</code> is enabled, <em>all</em> requirements must include a hash or set of hashes, and <em>all</em> requirements must either be pinned to exact versions (e.g., <code>==1.0.0</code>), or be specified via direct URL.</p>
<p>Hash-checking mode introduces a number of additional constraints:</p>
@ -7827,11 +7838,6 @@ uv build [OPTIONS] [SRC]
<p>You can configure fine-grained logging using the <code>RUST_LOG</code> environment variable. (&lt;https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives&gt;)</p>
</dd><dt><code>--verify-hashes</code></dt><dd><p>Validate any hashes provided in the build constraints file.</p>
<p>Unlike <code>--require-hashes</code>, <code>--verify-hashes</code> does not require that all requirements have hashes; instead, it will limit itself to verifying the hashes of those requirements that do include them.</p>
<p>May also be set with the <code>UV_VERIFY_HASHES</code> environment variable.</p>
</dd><dt><code>--version</code>, <code>-V</code></dt><dd><p>Display the uv version</p>
</dd><dt><code>--wheel</code></dt><dd><p>Build a binary distribution (&quot;wheel&quot;) from the given directory</p>

2
docs/reference/settings.md
View File

@ -3104,7 +3104,7 @@ Unlike `--require-hashes`, `--verify-hashes` does not require that all requireme
hashes; instead, it will limit itself to verifying the hashes of those requirements that do
include them.
**Default value**: `false`
**Default value**: `true`
**Type**: `bool`