On 30 October 2017 at 18:43, Paul Moore <p.f.mo...@gmail.com> wrote: > On 29 October 2017 at 21:01, Wes Turner <wes.tur...@gmail.com> wrote: > > REQ: feedback re: "Remove or deprecate wheel signing features #196" > > https://github.com/pypa/wheel/issues/196 > > > > Is the current implementation incomplete without signature verification? > > According to the spec? > > I've never used or felt the need for this feature. I won't miss it. >
In practice, most folks are relying on checking the archive hashes as their integrity check, rather than checking the individual file hashes in RECORD (and then signing the RECORD file), since that lets them completely avoid worrying about the problem of establishing trust in an initial set of public keys. For folks that do want signatures on their build server -> deployment system connections (which is the problem this features aims to help with), they're currently more likely to use external GPG signatures (the way Linux distros and some container registries do) or a system like Notary/TUF (the way the Docker registry does), than they are a Python-specific format. So I think it would be reasonable for the wheel project maintainers to say they don't want to be responsible for ensuring that their signing implementation provides meaningful security assurances, and deprecate and remove it. We'd then update PEP 427 with a note saying that the signing feature has been deprecated in the reference implementation, and may be removed from a future version of the specification. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
