diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 269770261b8..d2eb5d62ab4 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -688,6 +688,7 @@ peps/pep-0809.rst @zooba peps/pep-0810.rst @pablogsal @DinoV @Yhg1s peps/pep-0811.rst @sethmlarson @gpshead peps/pep-0814.rst @vstinner @corona10 +peps/pep-0815.rst @emmatyping # ... peps/pep-2026.rst @hugovk # ... diff --git a/peps/pep-0815.rst b/peps/pep-0815.rst new file mode 100644 index 00000000000..d7456b5de63 --- /dev/null +++ b/peps/pep-0815.rst @@ -0,0 +1,79 @@ +PEP: 815 +Title: Deprecate ``RECORD.jws`` and ``RECORD.p7s`` +Author: Konstantin Schütze , + William Woodruff +Sponsor: Emma Harper Smith +PEP-Delegate: Paul Moore +Status: Draft +Type: Standards Track +Topic: Packaging +Created: 04-Dec-2025 +Post-History: `09-Jun-2025 `__, + + +Abstract +======== + +This PEP deprecates the ``RECORD.jws`` and ``RECORD.p7s`` wheel signature +files. Lack of support in tooling means that these virtually unused files do +not provide the security they purport. Users looking for wheel signing should +instead refer to :ref:`index hosted attestations +`. + + +Motivation +========== + +No major Python packaging tool supports generating or checking either +``RECORD.jws`` or ``RECORD.p7s``. Notably, neither pip nor uv validate the +hashes in ``RECORD``, a requirement for using signature files. The +:ref:`binary distribution format ` +presents them as security features, potentially resulting in user confusion. + +The state of the art for hashing and signing wheels has shifted from +in-archive information to out-of-archive information presented on the index, +such as hashes and :ref:`attestations ` +in the :ref:`simple repository API `. Unlike +the hashes in ``RECORD``, tools such as pip and uv validate index provided +hashes. + +Both files are virtually unused. A GitHub search for ``path:**.dist-info/RECORD`` +yields 635k results, ``path:**.dist-info/RECORD.jws`` has 8 distinct results +and ``path:**.dist-info/RECORD.p7s`` has zero results. + + +Specification +============= + +The ``RECORD.jws`` and ``RECORD.p7s`` files are deprecated, and the +:ref:`binary distribution format specification +` will be updated to reflect this. Build +backends and other tools MUST NOT add these files to wheels. Installers +SHOULD NOT attempt to verify them, while they remain excluded from ``RECORD``. + + +Backwards Compatibility +======================= + +No build backends and installers that the authors are aware of require any +changes, as they do not support these files beyond skipping them when +processing the ``RECORD`` file. If any build backends do currently write these +files, they need to deprecate and eventually remove this feature. + +For verifying provenance, users should refer to +:ref:`index hosted attestations `. + + +Security Implications +===================== + +This PEP strengthens the security of the Python packaging ecosystem by +reducing the divergence between security features presented in the +specification and the security features supported by tools. + + +Copyright +========= + +This document is placed in the public domain or under the +CC0-1.0-Universal license, whichever is more permissive.