From 964ad0556ae2fc48481c40a30909c218cc839362 Mon Sep 17 00:00:00 2001 From: konstin Date: Wed, 3 Dec 2025 13:03:10 +0100 Subject: [PATCH 1/9] PEP 815: Deprecate `RECORD.jws` and `RECORD.p7s` Co-authored-by: William Woodruff --- .github/CODEOWNERS | 1 + peps/pep-0815.rst | 70 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 peps/pep-0815.rst diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 269770261b8..194664ea224 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -688,6 +688,7 @@ peps/pep-0809.rst @zooba peps/pep-0810.rst @pablogsal @DinoV @Yhg1s peps/pep-0811.rst @sethmlarson @gpshead peps/pep-0814.rst @vstinner @corona10 +peps/pep-0815.rst @konstin # ... peps/pep-2026.rst @hugovk # ... diff --git a/peps/pep-0815.rst b/peps/pep-0815.rst new file mode 100644 index 00000000000..a6fdc07d7b2 --- /dev/null +++ b/peps/pep-0815.rst @@ -0,0 +1,70 @@ +PEP: 815 +Title: Deprecate ``RECORD.jws`` and ``RECORD.p7s`` +Author: Konstantin Schütze , + William Woodruff +Sponsor: Emma Harper Smith +PEP-Delegate: Paul Moore +Status: Draft +Type: Standards Track +Topic: Packaging +Created: 04-Dec-2025 +Post-History: `09-Jun-2025 `__ + +Abstract +======== + +This PEP deprecates the ``RECORD.jws`` and ``RECORD.p7s`` wheel signature +files. Lack of support in tooling means that these virtually unused files do +not provide the security they purport. Users looking for wheel signing should +instead refer to +:ref:`index hosted attestations `. + +Motivation +========== + +No major Python packaging tool supports generating or checking either +``RECORD.jws`` or ``RECORD.p7s``. Notably, neither pip nor uv validate the +hashes in ``RECORD``, a requirement for using signature files. The +:ref:`binary distribution format ` +presents them as security features, potentially resulting in user confusion. + +The state of the art for hashing and signing wheels has shifted from +in-archive information to out-of-archive information presented on the index, +such as hashes and :ref:`attestations ` +in the :ref:`simple repository API `. Unlike +the hashes in ``RECORD``, tools such as pip and uv validate index provided +hashes. + +Both files are virtually unused. A GitHub search for ``path:**.dist-info/RECORD`` +yields 635k results, ``path:**.dist-info/RECORD.jws`` has 8 distinct results +and ``path:**.dist-info/RECORD.p7s`` has zero results. + +Specification +============= + +The ``RECORD.jws`` and ``RECORD.p7s`` files are deprecated, and the +:ref:`binary distribution format ` is +updated to reflect this. Build backends and other tools must not add these +files to wheels. Installers must not attempt to verify them, while they +remain excluded from ``RECORD``. + +Backward Compatibility +====================== + +Known implementations require no changes, as they do not support these files +beyond skipping them when processing the ``RECORD`` file. Users should refer +to :ref:`index hosted attestations ` for +signing archives. + +Security Implications +===================== + +This PEP strengthens the security of the Python packaging ecosystem by +reducing the divergence between security features presented in the +specification and the security features supported by tools. + +Copyright +========= + +This document is placed in the public domain or under the +CC0-1.0-Universal license, whichever is more permissive. From 493b350fa4b9aa1f27f2a24126d6a1dda31ea73f Mon Sep 17 00:00:00 2001 From: konsti Date: Thu, 4 Dec 2025 23:08:38 +0100 Subject: [PATCH 2/9] Update .github/CODEOWNERS Co-authored-by: Emma Smith --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 194664ea224..d2eb5d62ab4 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -688,7 +688,7 @@ peps/pep-0809.rst @zooba peps/pep-0810.rst @pablogsal @DinoV @Yhg1s peps/pep-0811.rst @sethmlarson @gpshead peps/pep-0814.rst @vstinner @corona10 -peps/pep-0815.rst @konstin +peps/pep-0815.rst @emmatyping # ... peps/pep-2026.rst @hugovk # ... From 90ac2bcfba1a7dd3aa09a07d57b7d47f04dffd91 Mon Sep 17 00:00:00 2001 From: konsti Date: Thu, 4 Dec 2025 23:08:49 +0100 Subject: [PATCH 3/9] Update peps/pep-0815.rst Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> --- peps/pep-0815.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/peps/pep-0815.rst b/peps/pep-0815.rst index a6fdc07d7b2..acf117529aa 100644 --- a/peps/pep-0815.rst +++ b/peps/pep-0815.rst @@ -8,7 +8,7 @@ Status: Draft Type: Standards Track Topic: Packaging Created: 04-Dec-2025 -Post-History: `09-Jun-2025 `__ +Post-History: `09-Jun-2025 `__, Abstract ======== From b357fa3f9b0141ffce7cca7ecd1c8d797d8f8a04 Mon Sep 17 00:00:00 2001 From: konsti Date: Thu, 4 Dec 2025 23:09:00 +0100 Subject: [PATCH 4/9] Update peps/pep-0815.rst Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> --- peps/pep-0815.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/peps/pep-0815.rst b/peps/pep-0815.rst index acf117529aa..cea60705f2b 100644 --- a/peps/pep-0815.rst +++ b/peps/pep-0815.rst @@ -16,8 +16,8 @@ Abstract This PEP deprecates the ``RECORD.jws`` and ``RECORD.p7s`` wheel signature files. Lack of support in tooling means that these virtually unused files do not provide the security they purport. Users looking for wheel signing should -instead refer to -:ref:`index hosted attestations `. +instead refer to :ref:`index hosted attestations +`. Motivation ========== From 8dc69f25613e9d20cee2834c1e24a34d3ffec636 Mon Sep 17 00:00:00 2001 From: konsti Date: Thu, 4 Dec 2025 23:12:53 +0100 Subject: [PATCH 5/9] Update peps/pep-0815.rst Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> --- peps/pep-0815.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/peps/pep-0815.rst b/peps/pep-0815.rst index cea60705f2b..f552e2f4745 100644 --- a/peps/pep-0815.rst +++ b/peps/pep-0815.rst @@ -48,8 +48,8 @@ updated to reflect this. Build backends and other tools must not add these files to wheels. Installers must not attempt to verify them, while they remain excluded from ``RECORD``. -Backward Compatibility -====================== +Backwards Compatibility +======================= Known implementations require no changes, as they do not support these files beyond skipping them when processing the ``RECORD`` file. Users should refer From f0fc29b7a2134b4dccc838b46681acb2ea5d299a Mon Sep 17 00:00:00 2001 From: konstin Date: Thu, 4 Dec 2025 23:19:30 +0100 Subject: [PATCH 6/9] Partially apply suggestion --- peps/pep-0815.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/peps/pep-0815.rst b/peps/pep-0815.rst index f552e2f4745..0f3c363374d 100644 --- a/peps/pep-0815.rst +++ b/peps/pep-0815.rst @@ -43,10 +43,10 @@ Specification ============= The ``RECORD.jws`` and ``RECORD.p7s`` files are deprecated, and the -:ref:`binary distribution format ` is -updated to reflect this. Build backends and other tools must not add these -files to wheels. Installers must not attempt to verify them, while they -remain excluded from ``RECORD``. +:ref:`binary distribution format specification +` will be updated to reflect this. Build +backends and other tools MUST NOT add these files to wheels. Installers +SHOULD NOT attempt to verify them, while they remain excluded from ``RECORD``. Backwards Compatibility ======================= From 54ce99486ccf3e3bd15d8f6eea0f7fffbb1f216d Mon Sep 17 00:00:00 2001 From: konstin Date: Thu, 4 Dec 2025 23:29:32 +0100 Subject: [PATCH 7/9] Partially apply suggestion --- peps/pep-0815.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/peps/pep-0815.rst b/peps/pep-0815.rst index 0f3c363374d..a9c3ac4a14d 100644 --- a/peps/pep-0815.rst +++ b/peps/pep-0815.rst @@ -51,10 +51,10 @@ SHOULD NOT attempt to verify them, while they remain excluded from ``RECORD``. Backwards Compatibility ======================= -Known implementations require no changes, as they do not support these files -beyond skipping them when processing the ``RECORD`` file. Users should refer -to :ref:`index hosted attestations ` for -signing archives. +No build backends and installers that the authors are aware of require any +changes, as they do not support these files beyond skipping them when +processing the ``RECORD`` file. For verifying provenance, users should refer +to :ref:`index hosted attestations `. Security Implications ===================== From c76f4d1422ec01c16912269d1791fa2dcb0c0e6f Mon Sep 17 00:00:00 2001 From: konstin Date: Fri, 5 Dec 2025 10:17:42 +0100 Subject: [PATCH 8/9] Backwards Compatibility for build backends --- peps/pep-0815.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/peps/pep-0815.rst b/peps/pep-0815.rst index a9c3ac4a14d..e1d75b4a4f4 100644 --- a/peps/pep-0815.rst +++ b/peps/pep-0815.rst @@ -53,8 +53,11 @@ Backwards Compatibility No build backends and installers that the authors are aware of require any changes, as they do not support these files beyond skipping them when -processing the ``RECORD`` file. For verifying provenance, users should refer -to :ref:`index hosted attestations `. +processing the ``RECORD`` file. If any build backends do currently write these +files, they need to deprecate and eventually remove this feature. + +For verifying provenance, users should refer to +:ref:`index hosted attestations `. Security Implications ===================== From ad90318725e60ed44f5345428ecff85283de0d28 Mon Sep 17 00:00:00 2001 From: konstin Date: Fri, 5 Dec 2025 15:57:40 +0100 Subject: [PATCH 9/9] Two blank lines between section --- peps/pep-0815.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/peps/pep-0815.rst b/peps/pep-0815.rst index e1d75b4a4f4..d7456b5de63 100644 --- a/peps/pep-0815.rst +++ b/peps/pep-0815.rst @@ -10,6 +10,7 @@ Topic: Packaging Created: 04-Dec-2025 Post-History: `09-Jun-2025 `__, + Abstract ======== @@ -19,6 +20,7 @@ not provide the security they purport. Users looking for wheel signing should instead refer to :ref:`index hosted attestations `. + Motivation ========== @@ -39,6 +41,7 @@ Both files are virtually unused. A GitHub search for ``path:**.dist-info/RECORD` yields 635k results, ``path:**.dist-info/RECORD.jws`` has 8 distinct results and ``path:**.dist-info/RECORD.p7s`` has zero results. + Specification ============= @@ -48,6 +51,7 @@ The ``RECORD.jws`` and ``RECORD.p7s`` files are deprecated, and the backends and other tools MUST NOT add these files to wheels. Installers SHOULD NOT attempt to verify them, while they remain excluded from ``RECORD``. + Backwards Compatibility ======================= @@ -59,6 +63,7 @@ files, they need to deprecate and eventually remove this feature. For verifying provenance, users should refer to :ref:`index hosted attestations `. + Security Implications ===================== @@ -66,6 +71,7 @@ This PEP strengthens the security of the Python packaging ecosystem by reducing the divergence between security features presented in the specification and the security features supported by tools. + Copyright =========