Add hash-checking support to install and sync

[charliermarsh]

Summary

This PR adds support for hash-checking mode in pip install and pip sync. It's a large change, both in terms of the size of the diff and the modifications in behavior, but it's also one that's hard to merge in pieces (at least, with any test coverage) since it needs to work end-to-end to be useful and testable.

Here are some of the most important highlights:

• We store hashes in the cache. Where we previously stored pointers to unzipped wheels in the archives directory, we now store pointers with a set of known hashes. So every pointer to an unzipped wheel also includes its known hashes.
• By default, we don't compute any hashes. If the user runs with --require-hashes, and the cache doesn't contain those hashes, we invalidate the cache, redownload the wheel, and compute the hashes as we go. For users that don't run with --require-hashes, there will be no change in performance. For users that do, the only change will be if they don't run with --generate-hashes -- then they may see some repeated work between resolution and installation, if they use pip compile then pip sync.
• Many of the distribution types now include a hashes field, like CachedDist and LocalWheel.
• Our behavior is similar to pip, in that we enforce hashes when pulling any remote distributions, and when pulling from our own cache. Like pip, though, we don't enforce hashes if a distribution is already installed.
• Hash validity is enforced in a few different places:
  1. During resolution, we enforce hash validity based on the hashes reported by the registry. If we need to access a source distribution, though, we then enforce hash validity at that point too, prior to running any untrusted code. (This is enforced in the distribution database.)
  2. In the install plan, we only add cached distributions that have matching hashes. If a cached distribution is missing any hashes, or the hashes don't match, we don't return them from the install plan.
  3. In the downloader, we only return distributions with matching hashes.
  4. The final combination of "things we install" are: (1) the wheels from the cache, and (2) the downloaded wheels. So this ensures that we never install any mismatching distributions.
• Like pip, if --require-hashes is provided, we require that all distributions are pinned with either == or a direct URL. We also require that all distributions have hashes.

There are a few notable TODOs:

• We don't support hash-checking mode for unnamed requirements. These should be somewhat rare, though? Since pip compile never outputs unnamed requirements. I can fix this, it's just some additional work.
• We don't automatically enable --require-hashes with a hash exists in the requirements file. We require --require-hashes.

Closes #474.

Test Plan

I'd like to add some tests for registries that report incorrect hashes, but otherwise: cargo test

[charliermarsh]

@zanieb - I could use your help with this part. I'm not sure if I did the comparisons correctly here.

[zanieb]

I think this is actually wrong, although I'm not sure if it matters. You're supposed to be enforcing an ordering but here you're saying that MissingHash and MismatchedHash are never more compatible than the other value. This means that if we see both MissingHash and MismatchedHash we would arbitrarily display the first one we saw instead of preferring to present one of them to the user.

[charliermarsh]

I decided to change up the strategy in #2949, such that we treat distributions without hashes as compatible (but lower-priority). I can merge that into this PR if you agree with the change.

[charliermarsh]

@BurntSushi - Do you mind reviewing this component? The basic idea is a wrapper around any reader that can compute a set of hashes as we go. It's then used to wrap the async streams as we unzip.

[BurntSushi]

Aye. I think I have just one concern but otherwise this looks pretty reasonable to me.

[charliermarsh]

Tyvm!

[charliermarsh]

Open to advice on how best to test that if a registry tells us the wrong hashes, we still validate them at install time. I need a registry or --find-links entry that reports the wrong hashes for a given distribution.

[charliermarsh]

A few TODOs:

• Add some tests for invalid indexes.
• Run a basic benchmark (especially, to ensure that there's no regression for non---require-hashes).

I'd also like to refactor the dataflow from requirements file to RequireHashes, but this isn't required to merge.

[charliermarsh]

This is a TODO. We reject distributions without hashes when --require-hashes is provided, whereas in reality we should compute them.

[charliermarsh]

I solved this in #2949.

[konstin]

Not exactly this PR (more #2909), but do we have an explanation for .http/.rev files in the docstrings?

[konstin]

Nice work!

[konstin]

Do we want to support md5? It's cryptographically broken

[konstin]

nit: we have a constructor and getters

Suggested change

	/// The path to the archive entry in the wheel's archive bucket.
	pub path: PathBuf,
	/// The computed hashes of the archive.
	pub hashes: Vec<HashDigest>,
	/// The path to the archive entry in the wheel's archive bucket.
	path: PathBuf,
	/// The computed hashes of the archive.
	hashes: Vec<HashDigest>,

[konstin]

Why don't we spawn blocking here too?

[charliermarsh]

Because it's async whereas the other version is sync. Does that make sense?

[konstin]

yeah

[BurntSushi]

This is potentially putting 8KB on the stack. Maybe not an issue, but it's big enough to stand out to me.

I think I'd probably just use vec![0; 8192] here instead. You could put it in a thread_local! to amortize the alloc if you're concerned about perf.

[BurntSushi]

Aye. I think I have just one concern but otherwise this looks pretty reasonable to me.