bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66414: GNU ELPA: Require signed tags to release new package versions

From: Eshel Yaron
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Date: Mon, 09 Oct 2023 10:32:41 +0200
User-agent: Gnus/5.13 (Gnus v5.13) 
Hi,

Stefan Kangas <stefankangas@gmail.com> writes:

> Severity: wishlist
>
> I propose optionally releasing a new version of packages on
> NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
> it mandatory, at the very least not initially, because it would break
> too many existing workflows.
>

Do I understand correctly that under this proposal package
authors/maintainers would need to opt-in to such signature validation?

Another option that might be worth considering is to continue releasing
packages, with or without a valid signature, and instead to indicate the
absence or invalidity of a signature in the packages list and in other
package.el commands.  This has the benefit of requiring nothing from
package maintainers while creating a clear incentive to add those
signatures, and it would also give users the chance to employ their
personal judgment on case-by-case basis.  OTOH There are many cases to
consider, such as what happens when a user wants to upgrade a signed
package but the newer version is unsigned.

> The standard feature to do that in git would be a signed git tag.
> However, (Non-)GNU ELPA currently rebuilds package tarballs every time
> the "Version" comment header is updated, while git tags are ignored.
>
> Forwarded from
>
>     https://lists.gnu.org/r/emacs-devel/2023-02/msg00120.html
reply via email to
[Prev in Thread] Current Thread [Next in Thread]