Given that there were no further comments, I’d like to move this proposal ahead. Specifically, I’d like to propose:
- Deprecate the PEP 427-style signatures
RECORD.jwsorRECORD.p7s - Update Binary distribution format - Python Packaging User Guide to say “
RECORD.jwsandRECORD.p7sare deprecated files that were used for digital signatures. They are not mentioned in RECORD.” - Remove the “Signed wheel files” section at Binary distribution format - Python Packaging User Guide
Motivations:
RECORD.jwsandRECORD.p7shaven’t found mainstream usage, and aren’t check by any major tool I’m aware of. They are not supported in pip nor uv.- These signatures are presented as security features in the spec, when they in fact don’t provide any security (they aren’t checked).
- The newer, supported security features, specifically hash checking for archives and attestations, use external hashes and signatures, which are presented in the index, instead of internal signatures.
- Since these features build on top of
RECORDchecking (which pip and uv don’t do), this is a first step before being able to discuss furtherRECORDchanges that align spec and tool implementations.
@pf_moore I don’t know what the process here is, for a PUG spec change that is not a clarification but smaller than a real PEP, is there any process description i missed? I checked with PEP 1 but it does not seem applicable, and I couldn’t find anything on PUG itself. Unless there’s more opinions on this more concrete proposal, should we do something like a two-week final comment period with the above proposal?