[Distutils] Wheel 1.0 roadmap

Nick Coghlan ncoghlan at gmail.com
Mon Oct 30 10:20:34 EDT 2017

On 30 October 2017 at 18:43, Paul Moore <p.f.moore at gmail.com> wrote:

> On 29 October 2017 at 21:01, Wes Turner <wes.turner at gmail.com> wrote:
> > REQ: feedback re: "Remove or deprecate wheel signing features #196"
> > https://github.com/pypa/wheel/issues/196
> >
> > Is the current implementation incomplete without signature verification?
> > According to the spec?
> I've never used or felt the need for this feature. I won't miss it.

In practice, most folks are relying on checking the archive hashes as their
integrity check, rather than checking the individual file hashes in RECORD
(and then signing the RECORD file), since that lets them completely avoid
worrying about the problem of establishing trust in an initial set of
public keys.

For folks that do want signatures on their build server -> deployment
system connections (which is the problem this features aims to help with),
they're currently more likely to use external GPG signatures (the way Linux
distros and some container registries do) or a system like Notary/TUF (the
way the Docker registry does), than they are a Python-specific format.

So I think it would be reasonable for the wheel project maintainers to say
they don't want to be responsible for ensuring that their signing
implementation provides meaningful security assurances, and deprecate and
remove it. We'd then update PEP 427 with a note saying that the signing
feature has been deprecated in the reference implementation, and may be
removed from a future version of the specification.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20171031/b035a2bc/attachment-0001.html>

More information about the Distutils-SIG mailing list