[Distutils] Wheel 1.0 roadmap

Wes Turner wes.turner at gmail.com
Sun Oct 29 17:01:30 EDT 2017

REQ: feedback re: "Remove or deprecate wheel signing features #196"

Is the current implementation incomplete without signature verification?
According to the spec?

The spec includes this feature. So, even though this verify() function is
incomplete, it would be wrong to just remove it without also removing it
from the spec.

- https://www.python.org/dev/peps/pep-0427/#signed-wheel-files
- https://www.python.org/dev/peps/pep-0491/#signed-wheel-files

I don't have the information needed to explain what completely implemented
signatures are useful for. Does the spec explain this?

> A wheel installer is not required to understand digital signatures but
MUST verify the hashes in RECORD against the extracted file contents. When
the installer checks file hashes against RECORD, a separate signature
checker only needs to establish that RECORD matches the signature.

On Sunday, October 29, 2017, Alex Grönholm <alex.gronholm at nextday.fi> wrote:

> I am planning for a 1.0.0 release of the "wheel" library. I would like to
> start using semver from this point onwards, which in the case of wheel
> means that its command line interface should be well defined and remain
> backwards compatible. As part of this effort, I've rewritten the
> documentation (currently in the "docs-update" branch on Github) to conform
> to the PyPA guidelines. Wheel also had some generated API documentation on
> ReadTheDocs, but as discussed privately with Daniel Holth and Nick Coghlan,
> wheel should not have a public API going forward so I've deleted that
> documentation.
> I've also taken a hard look at wheel's features and would like to remove
> those which I consider to be either useless or harmful. I've added these
> tasks as issues on Github.
> All the issues that I'd like to get resolved by 1.0.0 have been tagged
> with the proper milestone marker here: https://github.com/pypa/wheel/
> milestone/1
> Feedback is very welcome!
> ps. Daniel, if you're reading this, would you mind giving the new docs a
> once-over? Also, if you can suggest where to put the "story" page, I'll
> link it back to the main index file.
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20171029/cdf205cd/attachment.html>

More information about the Distutils-SIG mailing list