[Python-Dev] BDFL delegation for PEP 426 (PyPI metadata 1.3) (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Sun Feb 3 14:04:01 CET 2013

• Previous message: [Python-Dev] BDFL delegation for PEP 426 + distutils freeze
• Next message: [Python-Dev] BDFL delegation for PEP 426 (PyPI metadata 1.3)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Feb 3, 2013 at 10:34 PM, Paul Moore <p.f.moore at gmail.com> wrote:

So it's perfectly possible to use wheels right now, without the pip integration. But the pip developers don't want to integrate the wheel format just because it exists - they want the assurance that it's an accepted format supported by PEPs, hence the interest in getting the 3 wheel PEPs (of which the metadata PEP is the first) accepted.

And they're right to be concerned - I've just made it clear to Daniel that before PEP 427 will be accepted, it must either switch to using S/MIME for signatures and drop support for Java Web Signatures completely, or else it must contain a compelling rationale for why we should even be considering a signature scheme that isn't yet an IETF standard. I take the disclaimer the IETF put on their drafts seriously: "It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." MvL raised this concern last time the wheel format was discussed, and, to date, nothing has happened to address it. JWS does look like a neat piece of technology, but it's just too young to be basing our binary distribution infrastructure on it (especially as new crypto is, by default, bad crypto - that's why NIST/NSA hold their multi-year competitions when they need to come up with new crypto related algorithms).

The other two PEPs (the new metadata and the version compatibility tags) are in a much better place. Most of the issues with PEP 426 have been inherited from the previous version of the metadata, rather than being related to the changes Daniel needed for the wheel format, and I've just completed a new draft that should address most of those problems. It's been a while since I looked closely at the compatibility tag PEP, but I don't recall their being any significant problems with it last time it was discussed.

Cheers, Nick.

-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia

• Previous message: [Python-Dev] BDFL delegation for PEP 426 + distutils freeze
• Next message: [Python-Dev] BDFL delegation for PEP 426 (PyPI metadata 1.3)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list