Where do you initially get the magical sha384 hash that proves the integrity of ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		HumanOstrich 10 months ago \| parent \| context \| favorite \| on: A year of uv: pros, cons, and should you migrate Where do you initially get the magical sha384 hash that proves the integrity of the package the first time it's imported?

8n4vidtmkvmk 10 months ago [–]

Same way we do in JS-land: https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

tl;dr use `openssl` on command-line to compute the hash.

Ideally, any package repositories ought to publish the hash for your convenience.

This of course does nothing to prove that the package is safe to use, just that it won't change out from under your nose.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact