Even if no maintenance were required, it's still a feature that promises to provide security but doesn't. This kind of feature has negative value.
I'd also suggest adding a small note to the PEP documenting that the signing feature didn't work out, and maybe linking to Donald's package signing blog post. I know updating PEPs isn't the most common thing, but it's the main documentation of the wheel format and it'll save confusion later. On Mar 22, 2018 10:57 AM, "Wes Turner" <wes.tur...@gmail.com> wrote: > What maintenance is required? > > Here's a link to the previous discussion of this issue: > > "Remove or deprecate wheel-signing features" > https://github.com/pypa/wheel/issues/196 > > What has changed? There is still no method for specifying a keyring; > whereas with GPG, all keys in the ring are trusted. > > On Thursday, March 22, 2018, Nick Coghlan <ncogh...@gmail.com> wrote: > >> On 22 March 2018 at 22:35, <alex.gronh...@nextday.fi> wrote: >> >>> I am not changing the format of RECORD, I'm simply removing the >>> cryptographic signing and verifying functionality, just the way you >>> described. Hash checking will stay. As we agreed earlier, those >>> features could be deprecated or removed from the PEP entirely. >>> >> >> Cool, that's what I thought you meant, but I figured I should double >> check since our discussion was a while ago now :) >> >> Cheers, >> Nick. >> >> -- >> Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia >> > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig > >
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
