[Distutils] wheel file signatures scheme
Ronald Oussoren
ronaldoussoren at mac.com
Mon Sep 3 08:15:47 CEST 2012
On 22 Aug, 2012, at 4:52, Daniel Holth <dholth at gmail.com> wrote:
> I've made what I think is exciting progress on the digital signatures
> design for wheel (updated built/binary packages for Python; intended
> to replace egg). The insight is that we can overload the "extras"
> syntax as a convenient way to mention the public key we expect:
>
> package[extra, ed25519=ouBJlTJJ4SJXoy8Bi1KRlewWLU6JW7HUXTgvU1YRuiA]
Why this hack instead of providing explict syntax for this?
Also the format doesn't seem to have any way to verify the validity of the signing key,
the documentation even says that "key distribution is out of scope for this spec". That's
odd for feature that's intended to add security.
Why did you decide to use JSON Web Signatures instead of PGP signatures, or even
X.509 signatures? With the latter two the key distribution problem is already solved, and
PGP signatures are used a lot in the opensource world.
Ronald
>
> http://wheel.readthedocs.org/en/latest/index.html#signed-wheel-files
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4788 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20120903/71fb8a03/attachment.bin>
More information about the Distutils-SIG
mailing list