[Distutils] what exactly does `wheel keygen` w/ `sign` do?
brett at yvrsfo.ca
Fri Feb 21 21:02:04 CET 2014
Well, I'll at least use what twine supports. =)
On Fri, Feb 21, 2014 at 2:17 PM, Donald Stufft <donald at stufft.io> wrote:
> On Feb 21, 2014, at 2:11 PM, Brett Cannon <brett at yvrsfo.ca> wrote:
> So I'm trying to be a good Python project owner for
> https://github.com/brettcannon/caniusepython3 so that means wanting to
> produce a universal wheel. While reading up on exactly what is needed I
> noticed there is `wheel keygen` which feeds `wheel sign`.
> But what exactly is the keygen producing? I'm assuming it's a
> private/public key but there is nothing about where those keys are stored,
> if I should keep them when I change machines, etc. And if this is PKI then
> I would assume I would want to get my public key signed by others in some
> web-of-trust to make sure that the signing is more than just a content
> hash. I do have a public/private GPG key from years ago when I tried to do
> the right thing and got it signed at PyCon, but once again the wheel docs
> don't say anything about GPG or reusing keys, etc. The wheel docs are so
> non-committal it makes it feel like that whatever `gpg keygen` produces is
> really not some performance shortcut and not really something to care about
> perpetuating the output of.
> So am I missing something or is `wheel keygen` just an optimization?
> Distutils-SIG maillist - Distutils-SIG at python.org
> In my opinion Wheel key signing is pointless. It has no trust model based
> with it and it’s Wheel specific. Right now there’s not a lot of benefit to
> signing but I would use the gpg signing that’s build into distutils. It’s
> generic and works across all file types.
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Distutils-SIG