REQ: feedback re: "Remove or deprecate wheel signing features #196" https://github.com/pypa/wheel/issues/196
Is the current implementation incomplete without signature verification? According to the spec? ``` The spec includes this feature. So, even though this verify() function is incomplete, it would be wrong to just remove it without also removing it from the spec. - https://www.python.org/dev/peps/pep-0427/#signed-wheel-files - https://www.python.org/dev/peps/pep-0491/#signed-wheel-files I don't have the information needed to explain what completely implemented signatures are useful for. Does the spec explain this? > A wheel installer is not required to understand digital signatures but MUST verify the hashes in RECORD against the extracted file contents. When the installer checks file hashes against RECORD, a separate signature checker only needs to establish that RECORD matches the signature. ``` On Sunday, October 29, 2017, Alex Grönholm <alex.gronh...@nextday.fi> wrote: > I am planning for a 1.0.0 release of the "wheel" library. I would like to > start using semver from this point onwards, which in the case of wheel > means that its command line interface should be well defined and remain > backwards compatible. As part of this effort, I've rewritten the > documentation (currently in the "docs-update" branch on Github) to conform > to the PyPA guidelines. Wheel also had some generated API documentation on > ReadTheDocs, but as discussed privately with Daniel Holth and Nick Coghlan, > wheel should not have a public API going forward so I've deleted that > documentation. > > I've also taken a hard look at wheel's features and would like to remove > those which I consider to be either useless or harmful. I've added these > tasks as issues on Github. > > All the issues that I'd like to get resolved by 1.0.0 have been tagged > with the proper milestone marker here: https://github.com/pypa/wheel/ > milestone/1 > > Feedback is very welcome! > > ps. Daniel, if you're reading this, would you mind giving the new docs a > once-over? Also, if you can suggest where to put the "story" page, I'll > link it back to the main index file. > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig >
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
