On 22 Aug, 2012, at 4:52, Daniel Holth dholth@gmail.com wrote:
I've made what I think is exciting progress on the digital signatures design for wheel (updated built/binary packages for Python; intended to replace egg). The insight is that we can overload the "extras" syntax as a convenient way to mention the public key we expect:
package[extra, ed25519=ouBJlTJJ4SJXoy8Bi1KRlewWLU6JW7HUXTgvU1YRuiA]
Why this hack instead of providing explict syntax for this?
Also the format doesn't seem to have any way to verify the validity of the signing key, the documentation even says that "key distribution is out of scope for this spec". That's odd for feature that's intended to add security.
Why did you decide to use JSON Web Signatures instead of PGP signatures, or even X.509 signatures? With the latter two the key distribution problem is already solved, and PGP signatures are used a lot in the opensource world.
Ronald
http://wheel.readthedocs.org/en/latest/index.html#signed-wheel-files _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig