Relevant notes and dosctring improvements

Author: anuunchin

dlt/common/utils.py

@@ -137,6 +137,10 @@ def digest256_tar_stream(stream: BinaryIO, chunk_size: int = 8192) -> str:
     Hashes only filenames and file contents, ignoring timestamps and other metadata.
     This ensures identical file contents produce identical hashes regardless of when
     the tar was created.
+
+    Note: This function operates entirely in-memory using tar.extractfile() which reads
+    from the archive stream. No files are written to disk, preventing leakage of sensitive
+    data that may be contained in the archive.
     """
     stream.seek(0)
     hash_obj = hashlib.sha3_256()

tests/workspace/deployment/test_package_builder.py

@@ -75,6 +75,8 @@ def test_build_package() -> None:
         assert str(package_path).startswith(f"{ctx.data_dir}{os.sep}deployment-")
         assert len(content_hash) == 44  # sha3_256 base64 string
 
+        # NOTE: Sleep ensures tarballs have different timestamps in their metadata, proving
+        # digest256_tar_stream produces identical hashes despite different creation times
         time.sleep(0.2)
 
         package_path_2, content_hash_2 = builder.build_package(selector)