Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24127

PyPI repos should provide SHA256 hashes in /simple web interface

    Details

    • Type: Improvement
    • Status: In Development
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.21.1
    • Fix Version/s: None
    • Component/s: PyPI
    • Labels:
    • Story Points:
      3
    • Sprint:
      NXRM MadMax Sprint 37

      Description

      Nexus hosted PyPI repositories should provide SHA256 hashes in the /simple web interface's href attributes that link to package files being served, as described in PEP503.  Currently, Nexus hosted PyPI repositories provides MD5 hashes for packages through the /simple web interface.

      From PEP 503, describing the PyPI /simple interface:

      The href attribute MUST be a URL that links to the location of the file for download, and the text of the anchor tag MUST match the final path component (the filename) of the URL. The URL SHOULD include a hash in the form of a URL fragment with the following syntax: #<hashname>=<hashvalue>, where <hashname> is the lowercase name of the hash function (such as sha256) and <hashvalue> is the hex encoded digest.
      ...
      Repositories SHOULD choose a hash function from one of the ones guaranteed to be available via the hashlib module in the Python standard library (currently md5, sha1, sha224, sha256, sha384, sha512). The current recommendation is to use sha256.

      On client systems that are FIPS 140-2 compliant (the MD5 algorithm is disabled), 'pip' cannot download packages from a Nexus hosted PyPI repository because it provides MD5 hashes in the href fragment.

        Attachments

        1. prepare_hashes.py
          0.6 kB
        2. nginx.conf
          3 kB
        3. nexus_fix.js
          0.6 kB

          Activity

            People

            Assignee:
            iudovika Igor Udovika
            Reporter:
            JamesB James Brophy
            Last Updated By:
            Igor Udovika Igor Udovika
            Team:
            NXRM - Mad Max
            Owner:
            Igor Udovika Igor Udovika
            Votes:
            28 Vote for this issue
            Watchers:
            29 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title