Details
-
Improvement
-
Resolution: Fixed
-
Major
-
3.21.1
-
3
-
NXRM MadMax Sprint 37, NXRM MadMax Sprint 38
-
non-concept
Description
Nexus hosted PyPI repositories should provide SHA256 hashes in the /simple web interface's href attributes that link to package files being served, as described in PEP503. Currently, Nexus hosted PyPI repositories provides MD5 hashes for packages through the /simple web interface.
From PEP 503, describing the PyPI /simple interface:
The href attribute MUST be a URL that links to the location of the file for download, and the text of the anchor tag MUST match the final path component (the filename) of the URL. The URL SHOULD include a hash in the form of a URL fragment with the following syntax: #<hashname>=<hashvalue>, where <hashname> is the lowercase name of the hash function (such as sha256) and <hashvalue> is the hex encoded digest.
...
Repositories SHOULD choose a hash function from one of the ones guaranteed to be available via the hashlib module in the Python standard library (currently md5, sha1, sha224, sha256, sha384, sha512). The current recommendation is to use sha256.
On client systems that are FIPS 140-2 compliant (the MD5 algorithm is disabled), 'pip' cannot download packages from a Nexus hosted PyPI repository because it provides MD5 hashes in the href fragment.
Attachments
Issue Links
- causes
-
NEXUS-34826 Upgrading to 3.41.0 does not generate sha256 for the existing assets for pypi hosted repositories
-
- Closed
-
-
-
- Closed
-
