[Distutils] Wheel 1.0 roadmap

Wes Turner wes.turner at gmail.com
Sun Oct 29 17:01:30 EDT 2017 

REQ: feedback re: "Remove or deprecate wheel signing features #196"
https://github.com/pypa/wheel/issues/196

Is the current implementation incomplete without signature verification?
According to the spec?

```
The spec includes this feature. So, even though this verify() function is
incomplete, it would be wrong to just remove it without also removing it
from the spec.

- https://www.python.org/dev/peps/pep-0427/#signed-wheel-files
- https://www.python.org/dev/peps/pep-0491/#signed-wheel-files

I don't have the information needed to explain what completely implemented
signatures are useful for. Does the spec explain this?

> A wheel installer is not required to understand digital signatures but
MUST verify the hashes in RECORD against the extracted file contents. When
the installer checks file hashes against RECORD, a separate signature
checker only needs to establish that RECORD matches the signature.
```

On Sunday, October 29, 2017, Alex Grönholm <alex.gronholm at nextday.fi> wrote:

> I am planning for a 1.0.0 release of the "wheel" library. I would like to
> start using semver from this point onwards, which in the case of wheel
> means that its command line interface should be well defined and remain
> backwards compatible. As part of this effort, I've rewritten the
> documentation (currently in the "docs-update" branch on Github) to conform
> to the PyPA guidelines. Wheel also had some generated API documentation on
> ReadTheDocs, but as discussed privately with Daniel Holth and Nick Coghlan,
> wheel should not have a public API going forward so I've deleted that
> documentation.
>
> I've also taken a hard look at wheel's features and would like to remove
> those which I consider to be either useless or harmful. I've added these
> tasks as issues on Github.
>
> All the issues that I'd like to get resolved by 1.0.0 have been tagged
> with the proper milestone marker here: https://github.com/pypa/wheel/
> milestone/1
>
> Feedback is very welcome!
>
> ps. Daniel, if you're reading this, would you mind giving the new docs a
> once-over? Also, if you can suggest where to put the "story" page, I'll
> link it back to the main index file.
>
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20171029/cdf205cd/attachment.html>

More information about the Distutils-SIG mailing list