Alex Cameron

Just FYI, I'm also working on a PR to get `pip-requirements-parser` to work with `packaging>=22.0`.

I'm going to be offline for a few hours. But I'll sign on later and see if you're around. Is it possible to just remove support for `LegacyVersion`? I assume...

I do have something but it just removes references to 'LegacyVersion' and updates tests which isn't what you had in mind. Sure, go ahead!

@pombredanne Thanks! v32.0 works fine for `pip-audit`. Would you like me to test against https://github.com/nexB/pip-requirements-parser/pull/3 too?

> @tetsuo-cpp re: testing #3 this would be great! There are some tests that I am still trying to fix though... I reckon that I combined here the tests suite...

One requirement of this work is that verifying clients will need to take information about what signing algorithm was used to generate the signature since we can no longer assume...

> @tetsuo-cpp are you talking about the signature algorithm or the hash one? I think the hash algo is already included in `messageDigest` in the bundle file. I don't think...

CC: @ret2libc

I think it's best to get this in first and follow up with the change to restrict algorithms via a `--allowed-signing-algorithms` flag since it's not straightforward with the current CLI...

I had a look at this today. I think if we just want to make a more informative error message, that should be reasonably straightforward. But if we want to...