Is there a way to force pipme to check if the hash of the md5 package matches one of my file requirements?
So I could have a file requirements.txtlike:
drf-compound-fields==0.2.0 md5=999168ac0303c4ea781da9cf47f841c1
Then, if a hash is set for the package, it pipwill check the hash *.tar.gz(or any other format) of the file. If not, he will refuse to install it.
Otherwise, someone may break the developer system and upload the version of the malicious package to PyPI.
source
share