[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#17625: 24.4.50; All installed packages marked "unsigned", no archive
From: |
Stefan Monnier |
Subject: |
bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed |
Date: |
Sat, 31 May 2014 16:19:32 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) |
> So any signing could only happen on elpa.gnu.org, automatically.
That's the intention, indeed.
> So if someone hacks elpa.gnu.org, they can hack the signing process too.
I guess we could move the archive-generation process to another machine,
but yes, if the machine the generates the archive is hacked, then all
bets are off.
> So all signing does AFAICS is protect against a man-in-the-middle
> attack where someone impersonates elpa.gnu.org. Which the use of ssl
> certs should already protect against?
AFAIK we currently use http://elpa.gnu.org/packages/, so no
SSL involved. I don't enough about SSL certs to be sure whether it
would provide comparable guarantees to signed packages.
Stefan
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Eric Abrahamsen, 2014/05/28
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/31
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/31
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed,
Stefan Monnier <=
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/31
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/31
bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Achim Gratz, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Achim Gratz, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30