18 Jul
2012
18 Jul
'12
2:44 p.m.
On Wed, Jul 18, 2012 at 1:53 PM, Daniel Holth
One of the main design goals for the wheel built package format is that a wheel archive extracted to sys.path is a PEP-376 compliant installation. I also want most wheel files to be cryptographically signed. The idea is to include a < 256 byte JSON Web Signature of RECORD, "RECORD.jws", which will only take a couple of milliseconds to generate, in the .dist-info directory. This is only meaningful if RECORD has strong hashes, or the installer would have to always rewrite RECORD on install just to include md5 sums to follow the spec.
If you're including another file anyway, why not just put the signatures in there, then?