new INSTALLER and REQUESTED files are chmod 600

[AtomBaf]

Since recently, I noticed that the uv pip install command will add 2 files in the metadata directory of an installed package: INSTALLER and REQUESTED.

These files were not there in previous uv versions, I don't know however when it was introduced but I can tell that this was not the case in version 0.2.2.
Now with the current version 0.2.28 these files are there. My problem is that their mod is 600 instead of a more usual 644 for other files in the same directory (like METADATAor WHEEL).
This causes a problem on my stack since for other reasons I install the package with one user, and another user read the libs metadata for some checks.

edit: related commit: https://github.com/astral-sh/uv/pull/337/files#diff-c1686969b46b2c133e184a8c25069ada51363d91354e35fac208bb67239fcf2cL813

[charliermarsh]

Interesting, thanks.

[charliermarsh]

What operating system are you on?

[charliermarsh]

Interesting, ok, this changed because we initially create the file in a temporary directory, then move it over (to avoid partial writes), and by default that uses 600: https://docs.rs/tempfile/latest/tempfile/struct.Builder.html#method.permissions

[charliermarsh]

I'm surprised we don't see this in more places?

[AtomBaf]

Sorry, my OS is Rocky Linux 9.3.

And I think what I'm doing should not happen often since reading all the files including these 2 files is not what python will typically do. This is probably why I'm the first to report this.

[charliermarsh]

No worries. You're right that the permissions should be changed.