On 22 March 2018 at 05:03, <alex.gronholm@nextday.fi> wrote:
After spending quite some time thinking about this, I've decided to cut
out the wheel signature related features from the wheel codebase,
unless there is significant resistance among the readers of this
mailing list. For those not involved in the previous discussion, the
reasoning is that the codebase can be significantly simplified by
removing this rarely used feature whose practical value is questionable
at best, given the lack of infrastructure for public key distribution.

Clarifying the scope here: is this about removing the hashes from the RECORD file, or just about dropping the native support for injecting the RECORD.jws and/or RECORD.p7s file? I ask as both of those features are covered in the same section of PEP 427: https://www.python.org/dev/peps/pep-0427/#signed-wheel-files

If it's just the latter, then I don't see any problem with that at all - the generated wheels will still be completely compliant with PEP 427, it's just that anyone that does want to sign RECORD will need to extract from the archive, sign it, then add the signature file back in.

Changing the format of RECORD would be a problem though, since it's a documented requirement that installers are expected to check those at installation time.


Nick Coghlan   |   ncoghlan@gmail.com   |   Brisbane, Australia