- 
                Notifications
    You must be signed in to change notification settings 
- Fork 2.2k
enforce crc32 checks when using async-zip #12623
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we wrap the error message to include the filename and note it's a problem with the package?
You could add a test case that uv pip install <url> for that bad wheel?
| Or, if you can construct a small bad wheel, you could probably check it in? | 
| Resolved 7 packages in [TIME] | ||
| × Failed to download `osqp @ https://files.pythonhosted.org/packages/00/04/5959347582ab970e9b922f27585d34f7c794ed01125dac26fb4e7dd80205/osqp-1.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl` | ||
| ├─▶ Failed to extract archive | ||
| ╰─▶ Bad CRC (got ca5f1131, expected d5c95dfa): osqp/ext_builtin.cpython-311-x86_64-linux-gnu.so | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd probably say "Bad CRC for file {filename}: got ..." — it's not clear what this filename means as written? I guess "Bad CRC (got ...) for file: " or similar works too? Maybe all I want is "for file" in the message :D
Maybe we should also attach the archive name to "Failed to extract archive"?
## 0.6.14 ### Python versions The following Python versions have been added: - CPython 3.13.3 - CPython 3.12.10 - CPython 3.11.12 - CPython 3.10.17 - CPython 3.9.22 See the [`python-build-standalone` release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20250409) for more details. ### Enhancements - Add `uv-build` and `uv_build` aliases to `uv init --build-backend` ([#12776](astral-sh/uv#12776)) - Emit dedicated error message for Conda `environment.yml` files ([#12669](astral-sh/uv#12669)) ### Preview features - Build backend: Check module dir exists for sdist build ([#12779](astral-sh/uv#12779)) - Build backend: Fix sdist with long directories ([#12764](astral-sh/uv#12764)) ### Performance - Avoid querying GitHub on repeated install invocations ([#12767](astral-sh/uv#12767)) ### Bug fixes - Error when `tool.uv.sources` is set in system-level configuration file ([#12757](astral-sh/uv#12757)) - Split workspace members onto their own lines in `uv init` ([#12756](astral-sh/uv#12756)) ### Documentation - Add lockfile note about PEP 751 ([#12732](astral-sh/uv#12732)) - Extend the reference documentation for `uv pip sync` ([#12683](astral-sh/uv#12683)) - Fix mismatched pip interface header / nav titles ([#12640](astral-sh/uv#12640)) ## 0.6.13 ### Enhancements - Add `--show-version` to `uv python find` ([#12376](astral-sh/uv#12376)) - Remove `--no-config` warning from `uv pip compile` and `uv pip sync` ([#12642](astral-sh/uv#12642)) - Skip repeated directories in `PATH` when searching for Python interpreters ([#12367](astral-sh/uv#12367)) - Unset `SCRIPT_PATH` in relocatable activation script ([#12672](astral-sh/uv#12672)) - Add `UV_PYTHON_DOWNLOADS_JSON_URL` to set custom managed python sources ([#10939](astral-sh/uv#10939)) - Reject `pyproject.toml` files in `uv pip compile -o` ([#12673](astral-sh/uv#12673)) - Respect the `--offline` flag for Git operations ([#12619](astral-sh/uv#12619)) ### Bug fixes - Warn instead of error if CRC appears to be missing ([#12722](astral-sh/uv#12722)) - Avoid infinite loop in `uv export` with conflicts ([#12726](astral-sh/uv#12726)) ### Rust API - Update MSRV to 1.84 ([#12670](astral-sh/uv#12670)) ## 0.6.12 ### Enhancements - Report the queried executable path in `uv python list` ([#12628](astral-sh/uv#12628)) - Improve archive unpack error messages ([#12627](astral-sh/uv#12627)) ### Bug fixes - Respect `authenticate` when using `explicit = true` ([#12631](astral-sh/uv#12631)) - Normalize extra and group names in `uv add` and `uv remove` ([#12586](astral-sh/uv#12586)) - Enforce CRC-32 checks when unpacking archives ([#12623](astral-sh/uv#12623)) - Fix parsing of `python-platform` in settings files ([#12592](astral-sh/uv#12592)) ### Documentation - Add note about `uv build` to `package = false` ([#12608](astral-sh/uv#12608)) - Add index fallback note to `authenticate = always` documentation ([#12498](astral-sh/uv#12498)) - Fix invalid 'kind' reference in flat index docs ([#12583](astral-sh/uv#12583)) ## 0.6.11 ### Enhancements - Add dependents ("via ..." comments) in `uv export` command ([#12350](astral-sh/uv#12350)) - Bump least-recent non-EOL macOS version to 13.0 ([#12518](astral-sh/uv#12518)) - Support `--find-links`-style "flat" indexes in `[[tool.uv.index]]` ([#12407](astral-sh/uv#12407)) - Distinguish between `-q` and `-qq` ([#12300](astral-sh/uv#12300)) ### Configuration - Support `UV_PROJECT` environment to set project directory. ([#12327](astral-sh/uv#12327)) ### Performance - Use a boxed slice for various requirement types ([#12514](astral-sh/uv#12514)) ### Bug fixes - Add a newline after metadata when initializing scripts with other metadata blocks ([#12501](astral-sh/uv#12501)) - Avoid writing empty `requires-python` to script blocks ([#12517](astral-sh/uv#12517)) - Respect build constraints in `uv sync` ([#12502](astral-sh/uv#12502)) - Respect transitive dependencies in `uv tree --only-group` ([#12560](astral-sh/uv#12560)) ## 0.6.10 ### Enhancements - Add `uv sync --check` flag ([#12342](astral-sh/uv#12342)) - Add support for Python version requests in `uv python list` ([#12375](astral-sh/uv#12375)) - Support `.env` files in `uv tool run` ([#12386](astral-sh/uv#12386)) - Support `python find --script` ([#11891](astral-sh/uv#11891)) ### Preview features - Check all compatible torch indexes when `--torch-backend` is enabled ([#12385](astral-sh/uv#12385)) ### Performance - Use a boxed slice for extras and groups ([#12391](astral-sh/uv#12391)) - Use small string for index name type ([#12355](astral-sh/uv#12355)) ### Bug fixes - Allow virtual packages with `--no-build` ([#12314](astral-sh/uv#12314)) - Ignore `--find-links` entries for pinned indexes ([#12396](astral-sh/uv#12396)) - Omit wheels from lockfile based on `--exclude-newer` ([#12299](astral-sh/uv#12299)) - Retain end-of-line comment position when adding dependency ([#12360](astral-sh/uv#12360)) - Omit fragment when querying for wheels in Simple HTML API ([#12384](astral-sh/uv#12384)) - Error on missing argument in `requirements.txt` ([#12354](astral-sh/uv#12354)) - Support modules with different casing in build backend ([#12240](astral-sh/uv#12240)) - Add authentication policy support for `pip` commands ([#12470](astral-sh/uv#12470)) ## 0.6.9 ### Enhancements - Use `keyring --mode creds` when `authenticate = "always"` ([#12316](astral-sh/uv#12316)) - Fail with specific error message when no password is present and `authenticate = "always"` ([#12313](astral-sh/uv#12313)) ### Bug fixes - Add boolish value parser for `UV_MANAGED_PYTHON` flags ([#12345](astral-sh/uv#12345)) - Make deserialization non-fatal when assessing source tree revisions ([#12319](astral-sh/uv#12319)) - Use resolver-returned wheel over alternate cached wheel ([#12301](astral-sh/uv#12301)) ### Documentation - Add experimental `--torch-backend` to the PyTorch guide ([#12317](astral-sh/uv#12317)) - Fix `#keyring-provider` references in alternative index docs ([#12315](astral-sh/uv#12315)) - Fix `--directory` path in examples ([#12165](astral-sh/uv#12165)) ### Preview changes - Automatically infer the PyTorch index via `--torch-backend=auto` ([#12070](astral-sh/uv#12070)) ## 0.6.8 ### Enhancements - Add support for enabling all groups by default with `default-groups = "all"` ([#12289](astral-sh/uv#12289)) - Add simpler `--managed-python` and `--no-managed-python` flags for toggling Python preferences ([#12246](astral-sh/uv#12246)) ### Performance - Avoid allocations for default cache keys ([#12063](astral-sh/uv#12063)) ### Bug fixes - Allow local version mismatches when validating lockfile ([#12285](astral-sh/uv#12285)) - Allow owned string when deserializing `requires-python` ([#12278](astral-sh/uv#12278)) - Make cache errors non-fatal in `Planner::build` ([#12281](astral-sh/uv#12281)) ## 0.6.7 ### Python - Add CPython 3.14.0a6 - Fix regression where extension modules would use wrong `CXX` compiler on Linux - Enable FTS3 enhanced query syntax for SQLite See the [`python-build-standalone` release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20250317) for more details. ### Enhancements - Add support for `-c` constraints in `uv add` ([#12209](astral-sh/uv#12209)) - Add support for `--global` default version in `uv python pin` ([#12115](astral-sh/uv#12115)) - Always reinstall local source trees passed to `uv pip install` ([#12176](astral-sh/uv#12176)) - Render token claims on publish permission error ([#12135](astral-sh/uv#12135)) - Add pip-compatible `--group` flag to `uv pip install` and `uv pip compile` ([#11686](astral-sh/uv#11686)) ### Preview features - Avoid creating duplicate directory entries in built wheels ([#12206](astral-sh/uv#12206)) - Allow overriding module names for editable builds ([#12137](astral-sh/uv#12137)) ### Performance - Avoid replicating core-metadata field on `File` struct ([#12159](astral-sh/uv#12159)) ### Bug fixes - Add `src` to default cache keys ([#12062](astral-sh/uv#12062)) - Discard insufficient fork markers ([#10682](astral-sh/uv#10682)) - Ensure `python pin --global` creates parent directories if missing ([#12180](astral-sh/uv#12180)) - Fix GraalPy abi tag parsing and discovery ([#12154](astral-sh/uv#12154)) - Remove extraneous script packages in `uv sync --script` ([#12158](astral-sh/uv#12158)) - Remove redundant `activate.bat` output ([#12160](astral-sh/uv#12160)) - Avoid subsequent index hint when no versions are available on the first index ([#9332](astral-sh/uv#9332)) - Error on lockfiles with incoherent wheel versions ([#12235](astral-sh/uv#12235)) ### Rust API - Update `BaseClientBuild` to accept custom proxies ([#12232](astral-sh/uv#12232)) ### Documentation - Make testpypi index explicit in example snippet ([#12148](astral-sh/uv#12148)) - Reverse and format the archived changelogs ([#12099](astral-sh/uv#12099)) - Use consistent commas around i.e. and e.g. ([#12157](astral-sh/uv#12157)) - Fix typos in MRE docs ([#12198](astral-sh/uv#12198)) - Fix double space typo ([#12171](astral-sh/uv#12171))
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.6.11` -> `0.6.16` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.6.16`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0616) [Compare Source](astral-sh/uv@0.6.15...0.6.16) ##### Bug fixes - Revert "Properly handle authentication for 302 redirect URLs" ([#​13041](astral-sh/uv#13041)) ### [`v0.6.15`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0615) [Compare Source](astral-sh/uv@0.6.14...0.6.15) This release includes preliminary support for the `pylock.toml` file format, as standardized in [PEP 751](https://peps.python.org/pep-0751/). `pylock.toml` is an alternative resolution output format intended to replace `requirements.txt` (e.g., in the context of `uv pip compile`, whereby a "locked" `requirements.txt` file is generated from a set of input requirements). `pylock.toml` is standardized and tool-agnostic, such that in the future, `pylock.toml` files generated by uv could be installed by other tools, and vice versa. As of this release, `pylock.toml` is supported in the following commands: - To export a `uv.lock` to the `pylock.toml` format, run: `uv export -o pylock.toml` - To generate a `pylock.toml` file from a set of requirements, run: `uv pip compile -o pylock.toml -r requirements.in` - To install from a `pylock.toml` file, run: `uv pip sync pylock.toml` or `uv pip install -r pylock.toml` ##### Enhancements - Add PEP 751 support to `uv pip compile` ([#​13019](astral-sh/uv#13019)) - Add `uv export` support for PEP 751 ([#​12955](astral-sh/uv#12955)) - Accept `requirements.txt` (verbatim) as a format on the CLI ([#​12957](astral-sh/uv#12957)) - Add `UV_NO_EDITABLE` environment variable to set `--no-editable` on all invocations ([#​12773](astral-sh/uv#12773)) - Add `pylock.toml` to `uv pip install` and `uv pip sync` ([#​12992](astral-sh/uv#12992)) - Add a brief sleep before sending `SIGINT` to child processes ([#​13018](astral-sh/uv#13018)) - Add upload time to `uv.lock` ([#​12968](astral-sh/uv#12968)) - Allow updating Git sources by name ([#​12897](astral-sh/uv#12897)) - Cache `which git` in `uv init` ([#​12893](astral-sh/uv#12893)) - Enable `--dry-run` with `--locked` / `--frozen` for `uv sync` ([#​12778](astral-sh/uv#12778)) - Infer output type in `uv export` ([#​12958](astral-sh/uv#12958)) - Make `uv init` resilient against broken git ([#​12895](astral-sh/uv#12895)) - Respect build constraints for `uv run --with` dependencies ([#​12882](astral-sh/uv#12882)) - Split UV_INDEX on all whitespace ([#​12820](astral-sh/uv#12820)) - Support build constraints in `uv tool` and PEP723 scripts. ([#​12842](astral-sh/uv#12842)) - Use suffix from `uvx` binary when searching for uv binary ([#​12923](astral-sh/uv#12923)) - Update version formatting to use cyan color ([#​12943](astral-sh/uv#12943)) - Add debug logs for version file search ([#​12951](astral-sh/uv#12951)) - Fix `SourceNotAllowed` error message during Python discovery ([#​13012](astral-sh/uv#13012)) - Obfuscate password in credentials debug messages ([#​12944](astral-sh/uv#12944)) - Obfuscate possible tokens in URL logs ([#​12969](astral-sh/uv#12969)) - Validate that PEP 751 entries don't include multiple sources ([#​12993](astral-sh/uv#12993)) ##### Preview features - Build backend: Add reference docs and schema ([#​12803](astral-sh/uv#12803)) ##### Bug fixes - Align supported `config-settings` with example in docs ([#​12947](astral-sh/uv#12947)) - Ensure virtual environment is compatible with interpreter on sync ([#​12884](astral-sh/uv#12884)) - Fix `PythonDownloadRequest` parsing for partial keys ([#​12925](astral-sh/uv#12925)) - Fix pre-release exclusive comparison operator in `uv-pep440` ([#​12836](astral-sh/uv#12836)) - Forward additional signals to the child process in `uv run` ([#​13017](astral-sh/uv#13017)) - Omit PEP 751 version for source trees ([#​13030](astral-sh/uv#13030)) - Patch `CC` and `CCX` entries in sysconfig for cross-compiled `aarch64` Python distributions ([#​12239](astral-sh/uv#12239)) - Properly handle authentication for HTTP 302 redirect URLs ([#​12920](astral-sh/uv#12920)) - Set 4MB stack size for all threads, introduce `UV_STACK_SIZE` ([#​12839](astral-sh/uv#12839)) - Show PyPy downloads during `uv python list` ([#​12915](astral-sh/uv#12915)) - Add `subdirectory` to Direct URL for local directories ([#​12971](astral-sh/uv#12971)) - Prefer stable releases over pre-releases in `uv python install` ([#​12194](astral-sh/uv#12194)) - Write requested Python variant to pin file in `uv init` ([#​12870](astral-sh/uv#12870)) ##### Documentation - Fix CLI reference with code block ([#​12807](astral-sh/uv#12807)) - Fix lockfile note ([#​12793](astral-sh/uv#12793)) - Fix typo in a reference ([#​12858](astral-sh/uv#12858)) - Improve docs for `uv python list --only-downloads` and `--only-installed` ([#​12916](astral-sh/uv#12916)) - Update note on lack of musl distributions to ARM-only ([#​12825](astral-sh/uv#12825)) - Add section on shebangs for scripts ([#​11553](astral-sh/uv#11553)) - Display aliases for long and short args in the CLI reference ([#​12824](astral-sh/uv#12824)) - Fix highlight line in explicit index documentation ([#​12887](astral-sh/uv#12887)) - Add explicit source (matching PyTorch guide) ([#​12844](astral-sh/uv#12844)) - Fix link to issue ([#​12823](astral-sh/uv#12823)) - Fix grammatical error in FastAPI guide ([#​12908](astral-sh/uv#12908)) - Add `--locked` to `uv sync` in GitHub Actions guide ([#​12819](astral-sh/uv#12819)) - Improve formatting for `"all"` `default-groups` setting documentation ([#​12963](astral-sh/uv#12963)) - Replace `--frozen` with `--locked` in Docker integration guide ([#​12818](astral-sh/uv#12818)) ### [`v0.6.14`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0614) [Compare Source](astral-sh/uv@0.6.13...0.6.14) ##### Python versions The following Python versions have been added: - CPython 3.13.3 - CPython 3.12.10 - CPython 3.11.12 - CPython 3.10.17 - CPython 3.9.22 See the [`python-build-standalone` release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20250409) for more details. ##### Enhancements - Add `uv-build` and `uv_build` aliases to `uv init --build-backend` ([#​12776](astral-sh/uv#12776)) - Emit dedicated error message for Conda `environment.yml` files ([#​12669](astral-sh/uv#12669)) ##### Preview features - Build backend: Check module dir exists for sdist build ([#​12779](astral-sh/uv#12779)) - Build backend: Fix sdist with long directories ([#​12764](astral-sh/uv#12764)) ##### Performance - Avoid querying GitHub on repeated install invocations ([#​12767](astral-sh/uv#12767)) ##### Bug fixes - Error when `tool.uv.sources` is set in system-level configuration file ([#​12757](astral-sh/uv#12757)) - Split workspace members onto their own lines in `uv init` ([#​12756](astral-sh/uv#12756)) ##### Documentation - Add lockfile note about PEP 751 ([#​12732](astral-sh/uv#12732)) - Extend the reference documentation for `uv pip sync` ([#​12683](astral-sh/uv#12683)) - Fix mismatched pip interface header / nav titles ([#​12640](astral-sh/uv#12640)) ### [`v0.6.13`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0613) [Compare Source](astral-sh/uv@0.6.12...0.6.13) ##### Enhancements - Add `--show-version` to `uv python find` ([#​12376](astral-sh/uv#12376)) - Remove `--no-config` warning from `uv pip compile` and `uv pip sync` ([#​12642](astral-sh/uv#12642)) - Skip repeated directories in `PATH` when searching for Python interpreters ([#​12367](astral-sh/uv#12367)) - Unset `SCRIPT_PATH` in relocatable activation script ([#​12672](astral-sh/uv#12672)) - Add `UV_PYTHON_DOWNLOADS_JSON_URL` to set custom managed python sources ([#​10939](astral-sh/uv#10939)) - Reject `pyproject.toml` files in `uv pip compile -o` ([#​12673](astral-sh/uv#12673)) - Respect the `--offline` flag for Git operations ([#​12619](astral-sh/uv#12619)) ##### Bug fixes - Warn instead of error if CRC appears to be missing ([#​12722](astral-sh/uv#12722)) - Avoid infinite loop in `uv export` with conflicts ([#​12726](astral-sh/uv#12726)) ##### Rust API - Update MSRV to 1.84 ([#​12670](astral-sh/uv#12670)) ### [`v0.6.12`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0612) [Compare Source](astral-sh/uv@0.6.11...0.6.12) ##### Enhancements - Report the queried executable path in `uv python list` ([#​12628](astral-sh/uv#12628)) - Improve archive unpack error messages ([#​12627](astral-sh/uv#12627)) ##### Bug fixes - Respect `authenticate` when using `explicit = true` ([#​12631](astral-sh/uv#12631)) - Normalize extra and group names in `uv add` and `uv remove` ([#​12586](astral-sh/uv#12586)) - Enforce CRC-32 checks when unpacking archives ([#​12623](astral-sh/uv#12623)) - Fix parsing of `python-platform` in settings files ([#​12592](astral-sh/uv#12592)) ##### Documentation - Add note about `uv build` to `package = false` ([#​12608](astral-sh/uv#12608)) - Add index fallback note to `authenticate = always` documentation ([#​12498](astral-sh/uv#12498)) - Fix invalid 'kind' reference in flat index docs ([#​12583](astral-sh/uv#12583)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNTEuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI1My41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Fixes #12618
Instead of succeeding the user now gets:
I am not entirely sure if we have infra for testing this kind of thing, but it would be nice to check in a test or two. I'm also not entirely clear if there's any cases where these checks are overzealous.