[Distutils] Wheel 1.0 roadmap

Jeremy Stanley fungi at yuggoth.org
Mon Oct 30 15:47:10 EDT 2017

On 2017-10-31 00:20:34 +1000 (+1000), Nick Coghlan wrote:
> For folks that do want signatures on their build server -> deployment
> system connections (which is the problem this features aims to help with),
> they're currently more likely to use external GPG signatures (the way Linux
> distros and some container registries do) or a system like Notary/TUF (the
> way the Docker registry does), than they are a Python-specific format.

Agreed. For the hundreds of projects we publish on PyPI we have our
release automation generate detached OpenPGP signatures of sdsits
and wheels, and serve those signatures from our own release info
site since PyPI also seems to not want to support arbitrary
signature uploads over the long term. This satisfies the requests we
get from distribution package maintainers to provide proof of
provenance for our release artifacts; our release managers and
community infrastructure sysadmins sign the per-cycle release
automation keys, and regularly participate in key signing with
distro package maintainers in-person at conferences to establish a
sufficient web of trust. I understand this is probably untenable for
smaller projects, but at our scale it works fairly well (also easier
to generalize beyond merely Python-based software).

I'll be honest, when designing our artifact signing automation I
didn't even know the wheel spec suggested it should be a feature,
but without having consistent integration in other tooling for
signed sdists too it wouldn't have been much help to us anyway.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20171030/7585c60e/attachment.sig>

More information about the Distutils-SIG mailing list