The embedded signature feature was not developed very far. I think you could do some cool things in there, like automatically attaching timestamps to prove that a wheel was at least n days old, or expecting only that a particular key, identified by its fingerprint, signed any one of the wheels you might download instead of expecting that the entire wheel has a particular hash. Or simply being able to verify the wheel without caring about the compression algorithm used in the outer zip. But the feature did not get very far.
e.g. suppose you arranged for all the files in a release to be signed by a private key that is only used for a single release. Pass the fingerprint (cryptographic hash) of the public key to the installer. The installer would be able to check that you had any of the alternative files for that release, instead of just a single fileās sha sum.
If it is then should the repo be created in the PyPA org on GitHub based on who all is volunteering to help out?
IMO we can move the project to Python Packaging Authority Ā· GitHub once itās actually a thing that works; if you disagree, letās talk about that here.
There are basically two launchers in common use. The py launcher doesnāt support appended zips (by default - thereās conditional code in there that can be enabled). The distlib launchers are available as a separate project, https://bitbucket.org/vinay.sajip/simple_launcher. Those launchers are the ones that distlib uses, and could easily be re-used by another project (binaries are available, so you donāt need to compile your own copy). Thereās no need to use distlibās code, all that does is wrap the process of creating a zip and appending it to the launcher.
IMO, it would be nice if the simple_launcher launchers were more easily reusable (with āproperā releases, for example), but thatās just a minor point.
My contribution level will be limited until I ramp up on what is being discussed in some cases (py.exe launcher doesnāt support appended zipsā¦ I know what some of those words mean.) but I am willing to make up for it with enthusiasm and willingness to experiment.
Iām reading through this thread this week and attempting to catch up on everything said (in particular PEP 427 called out by @uranusjr and the steps outlined by @dholth). If there is something I can start chatting with folks about designing Iām happy to dive in.
As a newb, I am happy to do any boilerplate/busywork to get the idea up and running.