Display hashes associated with a package
Proposal
When a user looks at a Package through the web interface there is no way for them to know what hashes are associated with a package. This makes it difficult for a user to ensure that the package they are downloading is the correct package besides name/version number.
Design Comp |
---|
If a user is downloading Package X.YY, having a hash in the web interface would provide some assurance and allow them to lock their build to a specific hash as well as version number. Having a hash can help organizations ensure that packages have not been tampered with.
Below is a screenshot from how PyPI handles hashes in its web interfaces.
The hashes are not of broad importance and not used by everyone, but it would be nice to have a small link somewhere on the package screen to display them. It's an important security tool to help combat a variety of attacks including supply-chain and dependency confusion.