[Distutils] Removing wheel signing features from the wheel library
Nick Coghlan
ncoghlan at gmail.com
Thu Mar 22 07:44:05 EDT 2018
On 22 March 2018 at 05:03, <alex.gronholm at nextday.fi> wrote:
> After spending quite some time thinking about this, I've decided to cut
> out the wheel signature related features from the wheel codebase,
> unless there is significant resistance among the readers of this
> mailing list. For those not involved in the previous discussion, the
> reasoning is that the codebase can be significantly simplified by
> removing this rarely used feature whose practical value is questionable
> at best, given the lack of infrastructure for public key distribution.
>
Clarifying the scope here: is this about removing the hashes from the
RECORD file, or just about dropping the native support for injecting the
RECORD.jws and/or RECORD.p7s file? I ask as both of those features are
covered in the same section of PEP 427:
https://www.python.org/dev/peps/pep-0427/#signed-wheel-files
If it's just the latter, then I don't see any problem with that at all -
the generated wheels will still be completely compliant with PEP 427, it's
just that anyone that does want to sign RECORD will need to extract from
the archive, sign it, then add the signature file back in.
Changing the format of RECORD would be a problem though, since it's a
documented requirement that installers are expected to check those at
installation time.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180322/dbe3538f/attachment.html>
More information about the Distutils-SIG
mailing list