[Distutils] [Catalog-sig] [Python-Dev] accept the wheel PEPs 425, 426, 427
"Martin v. Löwis"
martin at v.loewis.de
Tue Nov 13 10:51:04 CET 2012
Am 13.11.12 03:04, schrieb Nick Coghlan:
> On Mon, Oct 29, 2012 at 4:47 AM, Daniel Holth <dholth at gmail.com
> <mailto:dholth at gmail.com>> wrote:
>
> I think Metadata 1.3 is done. Who would like to czar?
>
> (Apologies for the belated reply, it's been a busy few weeks)
>
> I'm happy to be BDFL delegate for these. I'd like to see PEP 425 updated
> with some additional rationale based on Ronald's comments later in this
> thread, though.
For the record, I'm still -1 on PEP 427, because of the signature issues.
The FAQ in the PEP is incorrect in claiming PGP or X.509 cannot
readily be used to verify the integrity of an archive - the whole
point of these technologies is to do exactly that.
The FAQ is entirely silent on why it is not using a more standard
signature algorithm such as ECDSA. It explains why it uses Ed25519,
but ignores that the very same rationale would apply to ECDSA as well;
plus that would be one of the standard JWS algorithms.
In addition, the FAQ claims that the format is designed to introduce
cryptopgraphy that is actually used, yet leaves the issue of key
distribution alone (except that pointing out that you can put them
into requires.txt - a file that doesn't seem to be specified anywhere).
Regards,
Martin
More information about the Distutils-SIG
mailing list