Skip to content

Display hashes associated with a package

Proposal

When a user looks at a Package through the web interface there is no way for them to know what hashes are associated with a package. This makes it difficult for a user to ensure that the package they are downloading is the correct package besides name/version number.

Design Comp
Screen_Shot_2021-04-28_at_2.23.55_PM

If a user is downloading Package X.YY, having a hash in the web interface would provide some assurance and allow them to lock their build to a specific hash as well as version number. Having a hash can help organizations ensure that packages have not been tampered with.

Below is a screenshot from how PyPI handles hashes in its web interfaces.

Notification_Center Notification_Center

The hashes are not of broad importance and not used by everyone, but it would be nice to have a small link somewhere on the package screen to display them. It's an important security tool to help combat a variety of attacks including supply-chain and dependency confusion.

Edited by Tim Rizzi