From 4fc723131b5b1612fcc974bc4105420906f58b43 Mon Sep 17 00:00:00 2001 From: Daniel Holth Date: Fri, 8 Feb 2013 11:56:08 -0500 Subject: [PATCH] wheel rationales --- pep-0427.txt | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/pep-0427.txt b/pep-0427.txt index ea833a51f..af7ea751d 100644 --- a/pep-0427.txt +++ b/pep-0427.txt @@ -235,7 +235,7 @@ Signed wheel files ------------------ Wheel files include an extended RECORD that enables digital -signatures. PEP 376's RECORD is altered to include +signatures. PEP 376's RECORD is altered to include a secure hash ``digestname=urlsafe_b64encode_nopad(digest)`` (urlsafe base64 encoding with no trailing = characters) as the second column instead of an md5sum. All possible entries are hashed, including any @@ -316,6 +316,19 @@ Why does wheel include attached signatures? the signature, or individual files can be verified without having to download the whole archive. +Why does wheel allow JWS signatures? + The JOSE specifications including JWS are designed to be easy to + implement, a feature that is also one of wheel's primary design goals. + +Why does wheel also allow S/MIME signatures? + S/MIME signatures are allowed for users who need or want to use an + existing public key infrastructure with wheel. + + Signed packages are only a basic building block in a secured package + update system. Wheel only provides the building block. A complete + system would provide for key distribution and trust and would specify + which signature format was required. + Appendix ========