Re: [Distutils] Removing wheel signing features from the wheel library

[Thomas Kluyver]

On Fri, Mar 23, 2018, at 6:56 AM, alex.gronh...@nextday.fi wrote:
> If someone wanted to make a malicious file, what's preventing them
> from modifying the RECORD to match the modified file when there is no
> cryptographic signing involved?
Right: you need a way to verify RECORD on top of that. Like the signatures, or 
way to distribute hashes of RECORD files separately. The hashes in RECORD are a 
foundation for building security systems, not a security system in themselves.
Thomas

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[alex . gronholm]

to, 2018-03-22 kello 21:56 +, Thomas Kluyver kirjoitti:
> On Thu, Mar 22, 2018, at 9:25 PM, alex.gronh...@nextday.fi wrote:
> 
> > I've been wondering about something – zip files already contain CRC
> > based checksums for each the stored file. What benefit is there in
> > storing a RECORD file which basically duplicates this
> > functionality?
> > 
> 
> In terms of providing a foundation for security checks, I think CRC
> checksums are insufficient - they are meant to detect random data
> corruption, not a deliberate effort to make a malicious file.

If someone wanted to make a malicious file, what's preventing them from
modifying the RECORD to match the modified file when there is no
cryptographic signing involved?
> 
> You could simply use a cryptographic hash of the entire wheel zip
> file. I guess the advantage of storing file hashes in RECORD is that
> they can be checked against the installed code, not just the wheel
> package.
> 
> 
> 
> ___
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> https://mail.python.org/mailman/listinfo/distutils-sig___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[Wes Turner]

On Thursday, March 22, 2018, Justin Cappos  wrote:

> You don't need a traditional CA for use with TUF or need to worry about a
> single PKI.  TUF is built to be resilient to the compromise of single
> servers / keys.
>
> Typically you would ship the metadata about what keys to trust (TUF's
> "root metadata") with the software installation tool.  This single set of
> pre-shared metadata means you can securely obtain the rest of the
> software.  (I'm happy to go into more detail, but wanted to avoid this
> becoming a barrage of TUF details unless everyone is interested.)
>
> If you don't want to ship the metadata with the tool, you can also have it
> work in a trust-on-first-use model.  This is what Docker does in their
> deployment of TUF.
>

[Distutils] TUF, Warehouse, Pip, PyPA, ld-signatures, ed25519
https://mail.python.org/pipermail/distutils-sig/2018-March/032081.html

I split the thread. Thanks for the explanation.


>
> On Thu, Mar 22, 2018 at 4:40 PM, Wes Turner  wrote:
>
>>
>>
>> On Thursday, March 22, 2018, Daniel Holth  wrote:
>>
>>> The feature was a building block that was intended to be used in much
>>> the same way that SHA package hashes are used, providing similar security
>>> to the ssh-style TOFU model, but less security than other imaginable public
>>> key systems. The idea was that it could provide more security in practice
>>> because the signatures could exist and be present with the archive, unlike
>>> gpg which provides loads of security in theory only. Unfortunately wheel
>>> signatures were never built up. I don't think anyone was tricked into
>>> believing the primitive provided security on its own.
>>>
>>
>> The hashes serve as file integrity check but provide no assurance that
>> they are what the author intended to distribute because there is no
>> cryptographic signature.
>>
>> File hashes help detect bit flips -- due to solar flares -- in storage or
>> transit, but do not mitigate against malicious package modification to
>> packages in storage or transit.
>>
>> AFAIU, TUF (The Update Framework) has a mechanism for limiting which
>> signing keys are valid for which package? Are pre-shared keys then still
>> necessary, or do we then rely on a PKI where one compromised CA cert can
>> then forge any other cert?
>>
>> https://theupdateframework.github.io/
>>
>>
>>>
>>> On Thu, Mar 22, 2018 at 2:21 PM Nathaniel Smith ared
>>> wrote:
>>>
 Even if no maintenance were required, it's still a feature that
 promises to provide security but doesn't. This kind of feature has negative
 value.

 I'd also suggest adding a small note to the PEP documenting that the
 signing feature didn't work out, and maybe linking to Donald's package
 signing blog post. I know updating PEPs isn't the most common thing, but
 it's the main documentation of the wheel format and it'll save confusion
 later.

 On Mar 22, 2018 10:57 AM, "Wes Turner"  wrote:

> What maintenance is required?
>
> Here's a link to the previous discussion of this issue:
>
> "Remove or deprecate wheel-signing features"
> https://github.com/pypa/wheel/issues/196
>
> What has changed? There is still no method for specifying a keyring;
> whereas with GPG, all keys in the ring are trusted.
>
> On Thursday, March 22, 2018, Nick Coghlan  wrote:
>
>> On 22 March 2018 at 22:35,  wrote:
>>
>>> I am not changing the format of RECORD, I'm simply removing the
>>> cryptographic signing and verifying functionality, just the way you
>>> described. Hash checking will stay. As we agreed earlier, those
>>> features could be deprecated or removed from the PEP entirely.
>>>
>>
>> Cool, that's what I thought you meant, but I figured I should double
>> check since our discussion was a while ago now :)
>>
>> Cheers,
>> Nick.
>>
>> --
>> Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
>>
>
> ___
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
> ___
 Distutils-SIG maillist  -  Distutils-SIG@python.org
 https://mail.python.org/mailman/listinfo/distutils-sig

>>>
>> ___
>> Distutils-SIG maillist  -  Distutils-SIG@python.org
>> https://mail.python.org/mailman/listinfo/distutils-sig
>>
>>
>
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[Thomas Kluyver]

On Thu, Mar 22, 2018, at 9:25 PM, alex.gronh...@nextday.fi wrote:
> I've been wondering about something – zip files already contain CRC
> based checksums for each the stored file. What benefit is there in
> storing a RECORD file which basically duplicates this functionality?
In terms of providing a foundation for security checks, I think CRC
checksums are insufficient - they are meant to detect random data
corruption, not a deliberate effort to make a malicious file.
You could simply use a cryptographic hash of the entire wheel zip file.
I guess the advantage of storing file hashes in RECORD is that they can
be checked against the installed code, not just the wheel package.
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[Wes Turner]

On Thursday, March 22, 2018,  wrote:

> to, 2018-03-22 kello 16:40 -0400, Wes Turner kirjoitti:
>
>
>
> On Thursday, March 22, 2018, Daniel Holth  wrote:
>
> The feature was a building block that was intended to be used in much the
> same way that SHA package hashes are used, providing similar security to
> the ssh-style TOFU model, but less security than other imaginable public
> key systems. The idea was that it could provide more security in practice
> because the signatures could exist and be present with the archive, unlike
> gpg which provides loads of security in theory only. Unfortunately wheel
> signatures were never built up. I don't think anyone was tricked into
> believing the primitive provided security on its own.
>
>
> The hashes serve as file integrity check but provide no assurance that
> they are what the author intended to distribute because there is no
> cryptographic signature.
>
> File hashes help detect bit flips -- due to solar flares -- in storage or
> transit, but do not mitigate against malicious package modification to
> packages in storage or transit.
>
>
> I've been wondering about something – zip files already contain CRC based
> checksums for each the stored file. What benefit is there in storing a
> RECORD file which basically duplicates this functionality?
>

AFAIU, there's no good way to do post-install hash verification like
`debsums` and `rpm -V` with zip CRCs (though it's probably possible if
there's a structured log of installed packages).


>
>
> AFAIU, TUF (The Update Framework) has a mechanism for limiting which
> signing keys are valid for which package? Are pre-shared keys then still
> necessary, or do we then rely on a PKI where one compromised CA cert can
> then forge any other cert?
>
> https://theupdateframework.github.io/
>
>
>
> On Thu, Mar 22, 2018 at 2:21 PM Nathaniel Smith ared wrote:
>
> Even if no maintenance were required, it's still a feature that promises
> to provide security but doesn't. This kind of feature has negative value.
>
> I'd also suggest adding a small note to the PEP documenting that the
> signing feature didn't work out, and maybe linking to Donald's package
> signing blog post. I know updating PEPs isn't the most common thing, but
> it's the main documentation of the wheel format and it'll save confusion
> later.
>
> On Mar 22, 2018 10:57 AM, "Wes Turner"  wrote:
>
> What maintenance is required?
>
> Here's a link to the previous discussion of this issue:
>
> "Remove or deprecate wheel-signing features"
> https://github.com/pypa/wheel/issues/196
>
> What has changed? There is still no method for specifying a keyring;
> whereas with GPG, all keys in the ring are trusted.
>
> On Thursday, March 22, 2018, Nick Coghlan  wrote:
>
> On 22 March 2018 at 22:35,  wrote:
>
> I am not changing the format of RECORD, I'm simply removing the
> cryptographic signing and verifying functionality, just the way you
> described. Hash checking will stay. As we agreed earlier, those
> features could be deprecated or removed from the PEP entirely.
>
>
> Cool, that's what I thought you meant, but I figured I should double check
> since our discussion was a while ago now :)
>
> Cheers,
> Nick.
>
> ___
> Distutils-SIG maillist  -  
> Distutils-SIG@python.orghttps://mail.python.org/mailman/listinfo/distutils-sig
>
>
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[alex . gronholm]

to, 2018-03-22 kello 16:40 -0400, Wes Turner kirjoitti:
> On Thursday, March 22, 2018, Daniel Holth  wrote:
> > The feature was a building block that was intended to be used in
> > much the same way that SHA package hashes are used, providing
> > similar security to the ssh-style TOFU model, but less security
> > than other imaginable public key systems. The idea was that it
> > could provide more security in practice because the signatures
> > could exist and be present with the archive, unlike gpg which
> > provides loads of security in theory only. Unfortunately wheel
> > signatures were never built up. I don't think anyone was tricked
> > into believing the primitive provided security on its own.
> 
> The hashes serve as file integrity check but provide no assurance
> that they are what the author intended to distribute because there is
> no cryptographic signature.
> 
> File hashes help detect bit flips -- due to solar flares -- in
> storage or transit, but do not mitigate against malicious package
> modification to packages in storage or transit.

I've been wondering about something – zip files already contain CRC
based checksums for each the stored file. What benefit is there in
storing a RECORD file which basically duplicates this functionality?
> AFAIU, TUF (The Update Framework) has a mechanism for limiting which
> signing keys are valid for which package? Are pre-shared keys then
> still  necessary, or do we then rely on a PKI where one compromised
> CA cert can then forge any other cert?
> https://theupdateframework.github.io/ 
> > On Thu, Mar 22, 2018 at 2:21 PM Nathaniel Smith ared
> > wrote:
> > > Even if no maintenance were required, it's still a feature that
> > > promises to provide security but doesn't. This kind of feature
> > > has negative value.
> > > I'd also suggest adding a small note to the PEP documenting that
> > > the signing feature didn't work out, and maybe linking to
> > > Donald's package signing blog post. I know updating PEPs isn't
> > > the most common thing, but it's the main documentation of the
> > > wheel format and it'll save confusion later.
> > > 
> > > On Mar 22, 2018 10:57 AM, "Wes Turner" 
> > > wrote:
> > > > What maintenance is required?
> > > > Here's a link to the previous discussion of this issue:
> > > > 
> > > > "Remove or deprecate wheel-signing features"
> > > > https://github.com/pypa/wheel/issues/196
> > > > 
> > > > What has changed? There is still no method for specifying a
> > > > keyring; whereas with GPG, all keys in the ring are trusted.
> > > > 
> > > > On Thursday, March 22, 2018, Nick Coghlan 
> > > > wrote:
> > > > > On 22 March 2018 at 22:35,  
> > > > > wrote: 
> > > > > > I am not changing the format of RECORD, I'm simply removing
> > > > > > the
> > > > > > 
> > > > > > cryptographic signing and verifying functionality, just the
> > > > > > way you
> > > > > > 
> > > > > > described. Hash checking will stay. As we agreed earlier,
> > > > > > those
> > > > > > 
> > > > > > features could be deprecated or removed from the PEP
> > > > > > entirely.
> > > > > 
> > > > > Cool, that's what I thought you meant, but I figured I should
> > > > > double check since our discussion was a while ago now :)
> > > > > 
> > > > > Cheers,
> > > > > Nick.
> > > > > 
> > > > > ___
> > > > > Distutils-SIG maillist  -  Distutils-SIG@python.org
> > > > > https://mail.python.org/mailman/listinfo/distutils-sig___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[Justin Cappos]

You don't need a traditional CA for use with TUF or need to worry about a
single PKI.  TUF is built to be resilient to the compromise of single
servers / keys.

Typically you would ship the metadata about what keys to trust (TUF's "root
metadata") with the software installation tool.  This single set of
pre-shared metadata means you can securely obtain the rest of the
software.  (I'm happy to go into more detail, but wanted to avoid this
becoming a barrage of TUF details unless everyone is interested.)

If you don't want to ship the metadata with the tool, you can also have it
work in a trust-on-first-use model.  This is what Docker does in their
deployment of TUF.

On Thu, Mar 22, 2018 at 4:40 PM, Wes Turner  wrote:

>
>
> On Thursday, March 22, 2018, Daniel Holth  wrote:
>
>> The feature was a building block that was intended to be used in much the
>> same way that SHA package hashes are used, providing similar security to
>> the ssh-style TOFU model, but less security than other imaginable public
>> key systems. The idea was that it could provide more security in practice
>> because the signatures could exist and be present with the archive, unlike
>> gpg which provides loads of security in theory only. Unfortunately wheel
>> signatures were never built up. I don't think anyone was tricked into
>> believing the primitive provided security on its own.
>>
>
> The hashes serve as file integrity check but provide no assurance that
> they are what the author intended to distribute because there is no
> cryptographic signature.
>
> File hashes help detect bit flips -- due to solar flares -- in storage or
> transit, but do not mitigate against malicious package modification to
> packages in storage or transit.
>
> AFAIU, TUF (The Update Framework) has a mechanism for limiting which
> signing keys are valid for which package? Are pre-shared keys then still
> necessary, or do we then rely on a PKI where one compromised CA cert can
> then forge any other cert?
>
> https://theupdateframework.github.io/
>
>
>>
>> On Thu, Mar 22, 2018 at 2:21 PM Nathaniel Smith ared
>> wrote:
>>
>>> Even if no maintenance were required, it's still a feature that promises
>>> to provide security but doesn't. This kind of feature has negative value.
>>>
>>> I'd also suggest adding a small note to the PEP documenting that the
>>> signing feature didn't work out, and maybe linking to Donald's package
>>> signing blog post. I know updating PEPs isn't the most common thing, but
>>> it's the main documentation of the wheel format and it'll save confusion
>>> later.
>>>
>>> On Mar 22, 2018 10:57 AM, "Wes Turner"  wrote:
>>>
 What maintenance is required?

 Here's a link to the previous discussion of this issue:

 "Remove or deprecate wheel-signing features"
 https://github.com/pypa/wheel/issues/196

 What has changed? There is still no method for specifying a keyring;
 whereas with GPG, all keys in the ring are trusted.

 On Thursday, March 22, 2018, Nick Coghlan  wrote:

> On 22 March 2018 at 22:35,  wrote:
>
>> I am not changing the format of RECORD, I'm simply removing the
>> cryptographic signing and verifying functionality, just the way you
>> described. Hash checking will stay. As we agreed earlier, those
>> features could be deprecated or removed from the PEP entirely.
>>
>
> Cool, that's what I thought you meant, but I figured I should double
> check since our discussion was a while ago now :)
>
> Cheers,
> Nick.
>
> --
> Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
>

 ___
 Distutils-SIG maillist  -  Distutils-SIG@python.org
 https://mail.python.org/mailman/listinfo/distutils-sig

 ___
>>> Distutils-SIG maillist  -  Distutils-SIG@python.org
>>> https://mail.python.org/mailman/listinfo/distutils-sig
>>>
>>
> ___
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
>
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[Trishank Kuppusamy]

Hi Wes,

On Thu, Mar 22, 2018 at 4:40 PM, Wes Turner  wrote:

>
> The hashes serve as file integrity check but provide no assurance that
> they are what the author intended to distribute because there is no
> cryptographic signature.
>
> File hashes help detect bit flips -- due to solar flares -- in storage or
> transit, but do not mitigate against malicious package modification to
> packages in storage or transit.
>
> AFAIU, TUF (The Update Framework) has a mechanism for limiting which
> signing keys are valid for which package? Are pre-shared keys then still
> necessary, or do we then rely on a PKI where one compromised CA cert can
> then forge any other cert?
>

Yes, you are right, the hashes need to be signed: otherwise you have
integrity, but no authenticity.

We wrote PEPs 458  and 480
 to discuss how TUF might be
deployed on PyPI / Warehouse. The PEPs go into details about public key
distribution. The TLDR is that is that clients (i.e., pip) need to be
shipped with one self-signed root metadata file, and the rest of the PKI is
bootstrapped from there. PyPI would act as an authority that distributes,
revokes, and replaces public keys for packages.

More details on security vs usability also available in our Diplomat

paper.

If the community is interested, we'd love to discuss how we could help make
this happen.

Thanks,
Trishank
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[Wes Turner]

On Thursday, March 22, 2018, Daniel Holth  wrote:

> The feature was a building block that was intended to be used in much the
> same way that SHA package hashes are used, providing similar security to
> the ssh-style TOFU model, but less security than other imaginable public
> key systems. The idea was that it could provide more security in practice
> because the signatures could exist and be present with the archive, unlike
> gpg which provides loads of security in theory only. Unfortunately wheel
> signatures were never built up. I don't think anyone was tricked into
> believing the primitive provided security on its own.
>

The hashes serve as file integrity check but provide no assurance that they
are what the author intended to distribute because there is no
cryptographic signature.

File hashes help detect bit flips -- due to solar flares -- in storage or
transit, but do not mitigate against malicious package modification to
packages in storage or transit.

AFAIU, TUF (The Update Framework) has a mechanism for limiting which
signing keys are valid for which package? Are pre-shared keys then still
necessary, or do we then rely on a PKI where one compromised CA cert can
then forge any other cert?

https://theupdateframework.github.io/


>
> On Thu, Mar 22, 2018 at 2:21 PM Nathaniel Smith ared wrote:
>
>> Even if no maintenance were required, it's still a feature that promises
>> to provide security but doesn't. This kind of feature has negative value.
>>
>> I'd also suggest adding a small note to the PEP documenting that the
>> signing feature didn't work out, and maybe linking to Donald's package
>> signing blog post. I know updating PEPs isn't the most common thing, but
>> it's the main documentation of the wheel format and it'll save confusion
>> later.
>>
>> On Mar 22, 2018 10:57 AM, "Wes Turner"  wrote:
>>
>>> What maintenance is required?
>>>
>>> Here's a link to the previous discussion of this issue:
>>>
>>> "Remove or deprecate wheel-signing features"
>>> https://github.com/pypa/wheel/issues/196
>>>
>>> What has changed? There is still no method for specifying a keyring;
>>> whereas with GPG, all keys in the ring are trusted.
>>>
>>> On Thursday, March 22, 2018, Nick Coghlan  wrote:
>>>
 On 22 March 2018 at 22:35,  wrote:

> I am not changing the format of RECORD, I'm simply removing the
> cryptographic signing and verifying functionality, just the way you
> described. Hash checking will stay. As we agreed earlier, those
> features could be deprecated or removed from the PEP entirely.
>

 Cool, that's what I thought you meant, but I figured I should double
 check since our discussion was a while ago now :)

 Cheers,
 Nick.

 --
 Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia

>>>
>>> ___
>>> Distutils-SIG maillist  -  Distutils-SIG@python.org
>>> https://mail.python.org/mailman/listinfo/distutils-sig
>>>
>>> ___
>> Distutils-SIG maillist  -  Distutils-SIG@python.org
>> https://mail.python.org/mailman/listinfo/distutils-sig
>>
>
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[Daniel Holth]

The feature was a building block that was intended to be used in much the
same way that SHA package hashes are used, providing similar security to
the ssh-style TOFU model, but less security than other imaginable public
key systems. The idea was that it could provide more security in practice
because the signatures could exist and be present with the archive, unlike
gpg which provides loads of security in theory only. Unfortunately wheel
signatures were never built up. I don't think anyone was tricked into
believing the primitive provided security on its own.

On Thu, Mar 22, 2018 at 2:21 PM Nathaniel Smith  wrote:

> Even if no maintenance were required, it's still a feature that promises
> to provide security but doesn't. This kind of feature has negative value.
>
> I'd also suggest adding a small note to the PEP documenting that the
> signing feature didn't work out, and maybe linking to Donald's package
> signing blog post. I know updating PEPs isn't the most common thing, but
> it's the main documentation of the wheel format and it'll save confusion
> later.
>
> On Mar 22, 2018 10:57 AM, "Wes Turner"  wrote:
>
>> What maintenance is required?
>>
>> Here's a link to the previous discussion of this issue:
>>
>> "Remove or deprecate wheel-signing features"
>> https://github.com/pypa/wheel/issues/196
>>
>> What has changed? There is still no method for specifying a keyring;
>> whereas with GPG, all keys in the ring are trusted.
>>
>> On Thursday, March 22, 2018, Nick Coghlan  wrote:
>>
>>> On 22 March 2018 at 22:35,  wrote:
>>>
 I am not changing the format of RECORD, I'm simply removing the
 cryptographic signing and verifying functionality, just the way you
 described. Hash checking will stay. As we agreed earlier, those
 features could be deprecated or removed from the PEP entirely.

>>>
>>> Cool, that's what I thought you meant, but I figured I should double
>>> check since our discussion was a while ago now :)
>>>
>>> Cheers,
>>> Nick.
>>>
>>> --
>>> Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
>>>
>>
>> ___
>> Distutils-SIG maillist  -  Distutils-SIG@python.org
>> https://mail.python.org/mailman/listinfo/distutils-sig
>>
>> ___
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[Nathaniel Smith]

Even if no maintenance were required, it's still a feature that promises to
provide security but doesn't. This kind of feature has negative value.

I'd also suggest adding a small note to the PEP documenting that the
signing feature didn't work out, and maybe linking to Donald's package
signing blog post. I know updating PEPs isn't the most common thing, but
it's the main documentation of the wheel format and it'll save confusion
later.

On Mar 22, 2018 10:57 AM, "Wes Turner"  wrote:

> What maintenance is required?
>
> Here's a link to the previous discussion of this issue:
>
> "Remove or deprecate wheel-signing features"
> https://github.com/pypa/wheel/issues/196
>
> What has changed? There is still no method for specifying a keyring;
> whereas with GPG, all keys in the ring are trusted.
>
> On Thursday, March 22, 2018, Nick Coghlan  wrote:
>
>> On 22 March 2018 at 22:35,  wrote:
>>
>>> I am not changing the format of RECORD, I'm simply removing the
>>> cryptographic signing and verifying functionality, just the way you
>>> described. Hash checking will stay. As we agreed earlier, those
>>> features could be deprecated or removed from the PEP entirely.
>>>
>>
>> Cool, that's what I thought you meant, but I figured I should double
>> check since our discussion was a while ago now :)
>>
>> Cheers,
>> Nick.
>>
>> --
>> Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
>>
>
> ___
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
>
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[alex . gronholm]

to, 2018-03-22 kello 13:57 -0400, Wes Turner kirjoitti:
> What maintenance is required?

It's hard to say for sure, since that depends on what requirements come
up in the future. One thing this certainly affects is the test suite
which I plan to rewrite because I feel it is woefully inadequate.
Removing mostly unused features helps reduce the effort required for
that. Ditto for the general code refactoring which I'm also planning on
doing.
> Here's a link to the previous discussion of this issue:
> 
> "Remove or deprecate wheel-signing features"
> https://github.com/pypa/wheel/issues/196
> 
> What has changed? There is still no method for specifying a keyring;
> whereas with GPG, all keys in the ring are trusted.
> 
> On Thursday, March 22, 2018, Nick Coghlan  wrote:
> > On 22 March 2018 at 22:35,   wrote: 
> > > I am not changing the format of RECORD, I'm simply removing the
> > > 
> > > cryptographic signing and verifying functionality, just the way
> > > you
> > > 
> > > described. Hash checking will stay. As we agreed earlier, those
> > > 
> > > features could be deprecated or removed from the PEP entirely.
> > 
> > Cool, that's what I thought you meant, but I figured I should
> > double check since our discussion was a while ago now :)
> > 
> > Cheers,
> > Nick.
> > ___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[Wes Turner]

What maintenance is required?

Here's a link to the previous discussion of this issue:

"Remove or deprecate wheel-signing features"
https://github.com/pypa/wheel/issues/196

What has changed? There is still no method for specifying a keyring;
whereas with GPG, all keys in the ring are trusted.

On Thursday, March 22, 2018, Nick Coghlan  wrote:

> On 22 March 2018 at 22:35,  wrote:
>
>> I am not changing the format of RECORD, I'm simply removing the
>> cryptographic signing and verifying functionality, just the way you
>> described. Hash checking will stay. As we agreed earlier, those
>> features could be deprecated or removed from the PEP entirely.
>>
>
> Cool, that's what I thought you meant, but I figured I should double check
> since our discussion was a while ago now :)
>
> Cheers,
> Nick.
>
> --
> Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
>
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[Nick Coghlan]

On 22 March 2018 at 22:35,  wrote:

> I am not changing the format of RECORD, I'm simply removing the
> cryptographic signing and verifying functionality, just the way you
> described. Hash checking will stay. As we agreed earlier, those
> features could be deprecated or removed from the PEP entirely.
>

Cool, that's what I thought you meant, but I figured I should double check
since our discussion was a while ago now :)

Cheers,
Nick.

-- 
Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[alex . gronholm]

to, 2018-03-22 kello 21:44 +1000, Nick Coghlan kirjoitti:
> On 22 March 2018 at 05:03,  wrote:
> > After spending quite some time thinking about this, I've decided to
> > cut
> > out the wheel signature related features from the wheel codebase,
> > unless there is significant resistance among the readers of this
> > mailing list. For those not involved in the previous discussion,
> > the
> > reasoning is that the codebase can be significantly simplified by
> > removing this rarely used feature whose practical value is
> > questionable
> > at best, given the lack of infrastructure for public key
> > distribution.
> 
> Clarifying the scope here: is this about removing the hashes from the
> RECORD file, or just about dropping the native support for injecting
> the RECORD.jws and/or RECORD.p7s file? I ask as both of those
> features are covered in the same section of PEP 427: https://www.pyth
> on.org/dev/peps/pep-0427/#signed-wheel-files
> 
> If it's just the latter, then I don't see any problem with that at
> all - the generated wheels will still be completely compliant with
> PEP 427, it's just that anyone that does want to sign RECORD will
> need to extract from the archive, sign it, then add the signature
> file back in.
> 
> Changing the format of RECORD would be a problem though, since it's a
> documented requirement that installers are expected to check those at
> installation time.
I am not changing the format of RECORD, I'm simply removing the
cryptographic signing and verifying functionality, just the way you
described. Hash checking will stay. As we agreed earlier, those
features could be deprecated or removed from the PEP entirely.
> 
> Cheers,
> Nick.
> 
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Removing wheel signing features from the wheel library

[Nick Coghlan]

On 22 March 2018 at 05:03,  wrote:

> After spending quite some time thinking about this, I've decided to cut
> out the wheel signature related features from the wheel codebase,
> unless there is significant resistance among the readers of this
> mailing list. For those not involved in the previous discussion, the
> reasoning is that the codebase can be significantly simplified by
> removing this rarely used feature whose practical value is questionable
> at best, given the lack of infrastructure for public key distribution.
>

Clarifying the scope here: is this about removing the hashes from the
RECORD file, or just about dropping the native support for injecting the
RECORD.jws and/or RECORD.p7s file? I ask as both of those features are
covered in the same section of PEP 427:
https://www.python.org/dev/peps/pep-0427/#signed-wheel-files

If it's just the latter, then I don't see any problem with that at all -
the generated wheels will still be completely compliant with PEP 427, it's
just that anyone that does want to sign RECORD will need to extract from
the archive, sign it, then add the signature file back in.

Changing the format of RECORD would be a problem though, since it's a
documented requirement that installers are expected to check those at
installation time.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig