Even if no maintenance were required, it's still a feature that promises to provide security but doesn't. This kind of feature has negative value.I'd also suggest adding a small note to the PEP documenting that the signing feature didn't work out, and maybe linking to Donald's package signing blog post. I know updating PEPs isn't the most common thing, but it's the main documentation of the wheel format and it'll save confusion later._______________________________________________On Mar 22, 2018 10:57 AM, "Wes Turner" <wes.turner@gmail.com> wrote:What maintenance is required?Here's a link to the previous discussion of this issue:"Remove or deprecate wheel-signing features"What has changed? There is still no method for specifying a keyring; whereas with GPG, all keys in the ring are trusted.
On Thursday, March 22, 2018, Nick Coghlan <ncoghlan@gmail.com> wrote:On 22 March 2018 at 22:35, <alex.gronholm@nextday.fi> wrote:Cool, that's what I thought you meant, but I figured I should double check since our discussion was a while ago now :)cryptographic signing and verifying functionality, just the way youI am not changing the format of RECORD, I'm simply removing the
described. Hash checking will stay. As we agreed earlier, those
features could be deprecated or removed from the PEP entirely.Cheers,Nick.
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig