chore: Upgrade html5lib to version 1.1. by bmd3k · Pull Request #5490 · tensorflow/tensorboard (original) (raw)

Thanks for taking care of this!

I chose to use the PyPi URL for the download of the dependency as I had difficulties finding the sha256 hashes for the version of the library at mirror.tensorflow.org and github.com (they differ from the PyPi one).

It's fine to just generate the sha256 hash locally - i.e. download the tarball and compute the hash yourself. In this case it might be easier to still do that, since the github one is already mirrored (see other comment).

FWIW, to justify that a little - the point of the hash isn't really to verify the integrity of the file that you're downloading today from the server, because in general we assume you're downloading it via HTTPS, on a reasonably secure machine and network, etc, and it doesn't really add much protection to separately get a hash from the same server rather than just computing it yourself. The point is to ensure the server doesn't change the contents of the file in the future. That way, we reduce the amount of trust we need to have from "I trust this server in perpetuity" to "I trust this server right now, today".