
to, 2018-03-22 kello 21:44 +1000, Nick Coghlan kirjoitti:
On 22 March 2018 at 05:03, alex.gronholm@nextday.fi wrote:
After spending quite some time thinking about this, I've decided to cut out the wheel signature related features from the wheel codebase, unless there is significant resistance among the readers of this mailing list. For those not involved in the previous discussion, the reasoning is that the codebase can be significantly simplified by removing this rarely used feature whose practical value is questionable at best, given the lack of infrastructure for public key distribution.
Clarifying the scope here: is this about removing the hashes from the RECORD file, or just about dropping the native support for injecting the RECORD.jws and/or RECORD.p7s file? I ask as both of those features are covered in the same section of PEP 427: https://www.pyth on.org/dev/peps/pep-0427/#signed-wheel-files
If it's just the latter, then I don't see any problem with that at all - the generated wheels will still be completely compliant with PEP 427, it's just that anyone that does want to sign RECORD will need to extract from the archive, sign it, then add the signature file back in.
Changing the format of RECORD would be a problem though, since it's a documented requirement that installers are expected to check those at installation time.
I am not changing the format of RECORD, I'm simply removing the cryptographic signing and verifying functionality, just the way you described. Hash checking will stay. As we agreed earlier, those features could be deprecated or removed from the PEP entirely.
Cheers, Nick.