[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#61277: FR: ELPA security - Restrict package builds to signed git com
From: |
Eli Zaretskii |
Subject: |
bug#61277: FR: ELPA security - Restrict package builds to signed git commits |
Date: |
Tue, 07 Feb 2023 14:10:42 +0200 |
> Cc: 61277@debbugs.gnu.org, stefan@marxist.se, yantar92@posteo.net,
> monnier@iro.umontreal.ca
> From: Richard Stallman <rms@gnu.org>
> Date: Mon, 06 Feb 2023 22:56:35 -0500
>
> > My git commits are usually signed, so one could check the signature of
> > each commit which leads to a package build. This feature could be opt-in
> > for now, enabled via an attribute :signature in the elpa-packages
> > configuration. Maybe elpa-packages could store the fingerprint(s) of the
> > expected GPG key(s)?
>
> What do other maintainers think of this?
I don't have an opinion. Frankly, I don't really understand what
would signing commits give in this regard, given that people who
install a package normally install a tarball, they don't clone the Git
repository. I also don't think the goals were stated clearly, so it's
hard to reason about this. But then I'm nowhere near being an expert
on this stuff, so I could easily miss something important.
> Should we move this to emacs-devel? A specific bug ticket
> is not the right place for such an important topic.
Agreed.
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Daniel Mendler, 2023/02/04
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits,
Eli Zaretskii <=
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Kangas, 2023/02/12
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/15
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Kangas, 2023/02/15
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Monnier, 2023/02/15
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/25