diff options
| author | Robert Collins <rbtcollins@hp.com> | 2015-04-23 09:58:49 +1200 |
|---|---|---|
| committer | Robert Collins <rbtcollins@hp.com> | 2015-04-23 09:58:49 +1200 |
| commit | f76dab1a528091f658d62747334451e2c928fbd9 (patch) | |
| tree | 983de58d4a8b46513fb591f8ba5826cba841c836 /docs/user_guide.rst | |
| parent | 83815df61ef814ab0169d3a4ffc4f3a67a6cd940 (diff) | |
| download | pip-f76dab1a528091f658d62747334451e2c928fbd9.tar.gz | |
PyPI is less broken now. Update docs.
Diffstat (limited to 'docs/user_guide.rst')
| -rw-r--r-- | docs/user_guide.rst | 10 |
1 files changed, 3 insertions, 7 deletions
diff --git a/docs/user_guide.rst b/docs/user_guide.rst index a5cd19202..7bf792b97 100644 --- a/docs/user_guide.rst +++ b/docs/user_guide.rst @@ -546,13 +546,9 @@ Three things are required to fully guarantee a repeatable installation using req 3. The installation is performed against an index or find-links location that is guaranteed to *not* allow archives to be changed and updated without a - version increase. Unfortunately, this is *not* true on PyPI. It is possible - for the same pypi distribution to have a different hash over time. Project - authors are allowed to delete a distribution, and then upload a new one with - the same name and version, but a different hash. See `Issue #1175 - <https://github.com/pypa/pip/issues/1175>`_ for plans to add hash - confirmation to pip, or a new "lock file" notion, but for now, know that the `peep - project <https://pypi.python.org/pypi/peep>`_ offers this feature on top of pip + version increase. While this is safe on PyPI, it may not be safe for other + indices. If you are working with an unsafe index, consider the `peep project + <https://pypi.python.org/pypi/peep>`_ which offers this feature on top of pip using requirements file comments. |