REQ: feedback re: &quot;Remove or deprecate wheel signing features #196&quot;<div><a href="https://github.com/pypa/wheel/issues/196">https://github.com/pypa/wheel/issues/196</a></div><div><br></div><div>Is the current implementation incomplete without signature verification? According to the spec?</div><div><br></div><div>```</div><div><div>The spec includes this feature. So, even though this verify() function is incomplete, it would be wrong to just remove it without also removing it from the spec.</div><div> </div><div>- <a href="https://www.python.org/dev/peps/pep-0427/#signed-wheel-files">https://www.python.org/dev/peps/pep-0427/#signed-wheel-files</a></div><div>- <a href="https://www.python.org/dev/peps/pep-0491/#signed-wheel-files">https://www.python.org/dev/peps/pep-0491/#signed-wheel-files</a></div><div><br></div><div>I don&#39;t have the information needed to explain what completely implemented signatures are useful for. Does the spec explain this?</div><div><br></div><div>&gt; A wheel installer is not required to understand digital signatures but MUST verify the hashes in RECORD against the extracted file contents. When the installer checks file hashes against RECORD, a separate signature checker only needs to establish that RECORD matches the signature.</div></div><div>```</div><div><br>On Sunday, October 29, 2017, Alex Grönholm &lt;<a href="mailto:alex.gronholm@nextday.fi">alex.gronholm@nextday.fi</a>&gt; wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I am planning for a 1.0.0 release of the &quot;wheel&quot; library. I would like to start using semver from this point onwards, which in the case of wheel means that its command line interface should be well defined and remain backwards compatible. As part of this effort, I&#39;ve rewritten the documentation (currently in the &quot;docs-update&quot; branch on Github) to conform to the PyPA guidelines. Wheel also had some generated API documentation on ReadTheDocs, but as discussed privately with Daniel Holth and Nick Coghlan, wheel should not have a public API going forward so I&#39;ve deleted that documentation.<br>
<br>
I&#39;ve also taken a hard look at wheel&#39;s features and would like to remove those which I consider to be either useless or harmful. I&#39;ve added these tasks as issues on Github.<br>
<br>
All the issues that I&#39;d like to get resolved by 1.0.0 have been tagged with the proper milestone marker here: <a href="https://github.com/pypa/wheel/milestone/1" target="_blank">https://github.com/pypa/wheel/<wbr>milestone/1</a><br>
<br>
Feedback is very welcome!<br>
<br>
ps. Daniel, if you&#39;re reading this, would you mind giving the new docs a once-over? Also, if you can suggest where to put the &quot;story&quot; page, I&#39;ll link it back to the main index file.<br>
<br>
______________________________<wbr>_________________<br>
Distutils-SIG maillist  -  <a>Distutils-SIG@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/distutils-sig" target="_blank">https://mail.python.org/mailma<wbr>n/listinfo/distutils-sig</a><br>
</blockquote></div>