[Distutils] [Python-Dev] accept the wheel PEPs 425, 426, 427

Ronald Oussoren ronaldoussoren at mac.com
Wed Oct 24 13:28:48 CEST 2012

On 18 Oct, 2012, at 19:29, Daniel Holth <dholth at gmail.com> wrote:

> I'd like to submit the Wheel PEPs 425 (filename metadata), 426
> (Metadata 1.3), and 427 (wheel itself) for acceptance. The format has
> been stable since May and we are preparing a patch to support it in
> pip, but we need to earn consensus before including it in the most
> widely used installer.

PEP 427:

* The installation section mentions that .py files should be compiled to .pyc/.pyo files, and that "Uninstallers should be smart enough to remove .pyc even if it is not mentioned in RECORD.". 

   Wouldn't it be better to add the compiled files to the RECORD file? That would break the digital signature, but I'm not sure if verifying the signature post-installation is useful (or if it's even
   intended to work). 

* Why is urlsafe_b64encode_nopad used to encode the hash in the record file, instead of the normal hex encoding that's directly supported by the hash module and system tools?

* The way to specify the required public key in package requirements in ugly (it looks like an abuse of setuptools' extras mechanism). Is there really no nicer way to specify this?

* As was noted before there is no threat model for the signature feature, which makes it hard to evaluate if the feature.  In particular, what is the advantage of this over PGP signatures of wheels? (PyPI already supports detached signatures, and such signatures are used more widely in the OSS world)

* RECORD.p7s is not described at all. I'm assuming this is intented to be a X.509 signature of RECORD in pkcs7 format. Why PKCS7 and not PEM? The latter seems to be easier to work with.


More information about the Distutils-SIG mailing list