[Distutils] what exactly does `wheel keygen` w/ `sign` do?

Fri Feb 21 21:34:56 CET 2014

Yea it does that too :) I was just being too lazy to type the docs out again :)

On Feb 21, 2014, at 3:32 PM, Brett Cannon <brett at yvrsfo.ca> wrote:

> Well, the docs gave the gpg command to use and made the good point that doing so meant not typing your GPG passphrase into a strange app. Anyway, https://pypi.python.org/pypi/caniusepython3 is now live and has both an sdist and universal wheel which are both signed with my creaky GPG key.
> 
> 
> On Fri, Feb 21, 2014 at 3:16 PM, Donald Stufft <donald at stufft.io> wrote:
> Twine just uses gpg like distutils upload does. It’ll even do the signing for you if you want.
> 
> twine upload -s dist/*
> 
> On Feb 21, 2014, at 3:02 PM, Brett Cannon <brett at yvrsfo.ca> wrote:
> 
>> Well, I'll at least use what twine supports. =)
>> 
>> 
>> On Fri, Feb 21, 2014 at 2:17 PM, Donald Stufft <donald at stufft.io> wrote:
>> 
>> On Feb 21, 2014, at 2:11 PM, Brett Cannon <brett at yvrsfo.ca> wrote:
>> 
>>> So I'm trying to be a good Python project owner for https://github.com/brettcannon/caniusepython3 so that means wanting to produce a universal wheel. While reading up on exactly what is needed I noticed there is `wheel keygen` which feeds `wheel sign`.
>>> 
>>> But what exactly is the keygen producing? I'm assuming it's a private/public key but there is nothing about where those keys are stored, if I should keep them when I change machines, etc. And if this is PKI then I would assume I would want to get my public key signed by others in some web-of-trust to make sure that the signing is more than just a content hash. I do have a public/private GPG key from years ago when I tried to do the right thing and got it signed at PyCon, but once again the wheel docs don't say anything about GPG or reusing keys, etc. The wheel docs are so non-committal it makes it feel like that whatever `gpg keygen` produces is really not some performance shortcut and not really something to care about perpetuating the output of.
>>> 
>>> So am I missing something or is `wheel keygen` just an optimization?
>>> _______________________________________________
>>> Distutils-SIG maillist  -  Distutils-SIG at python.org
>>> https://mail.python.org/mailman/listinfo/distutils-sig
>> 
>> In my opinion Wheel key signing is pointless. It has no trust model based with it and it’s Wheel specific. Right now there’s not a lot of benefit to signing but I would use the gpg signing that’s build into distutils. It’s generic and works across all file types.
>> 
>> -----------------
>> Donald Stufft
>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>> 
>> 
> 
> 
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> 
> 

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140221/d7cd5e31/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140221/d7cd5e31/attachment-0001.sig>