[Distutils] Removing wheel signing features from the wheel library
alex.gronholm at nextday.fi
alex.gronholm at nextday.fi
Thu Mar 22 08:35:08 EDT 2018
to, 2018-03-22 kello 21:44 +1000, Nick Coghlan kirjoitti:
> On 22 March 2018 at 05:03, <alex.gronholm at nextday.fi> wrote:
> > After spending quite some time thinking about this, I've decided to
> > cut
> > out the wheel signature related features from the wheel codebase,
> > unless there is significant resistance among the readers of this
> > mailing list. For those not involved in the previous discussion,
> > the
> > reasoning is that the codebase can be significantly simplified by
> > removing this rarely used feature whose practical value is
> > questionable
> > at best, given the lack of infrastructure for public key
> > distribution.
>
> Clarifying the scope here: is this about removing the hashes from the
> RECORD file, or just about dropping the native support for injecting
> the RECORD.jws and/or RECORD.p7s file? I ask as both of those
> features are covered in the same section of PEP 427: https://www.pyth
> on.org/dev/peps/pep-0427/#signed-wheel-files
>
> If it's just the latter, then I don't see any problem with that at
> all - the generated wheels will still be completely compliant with
> PEP 427, it's just that anyone that does want to sign RECORD will
> need to extract from the archive, sign it, then add the signature
> file back in.
>
> Changing the format of RECORD would be a problem though, since it's a
> documented requirement that installers are expected to check those at
> installation time.
I am not changing the format of RECORD, I'm simply removing the
cryptographic signing and verifying functionality, just the way you
described. Hash checking will stay. As we agreed earlier, those
features could be deprecated or removed from the PEP entirely.
>
> Cheers,
> Nick.
>
More information about the Distutils-SIG
mailing list