Re: ELPA security

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ELPA security

From:	Stefan Monnier
Subject:	Re: ELPA security
Date:	Mon, 07 Jan 2013 22:07:05 -0500
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux)

> Yes, I think that's the agreement.  I'd rather keep a .sig for every
> file instead of signing the whole package, because then you can package
> the whole directory in one tarball or distribute it as source, but
> that's a technicality IMO.

The tarball contains nothing else than the source, and it can only be
downloaded as a whole, so there's no point signing each file in
a tarball individually.

> I'd like to settle the signing keys (will it be the authors or a group
> of GNU ELPA maintainers?);

The signing will not guarantee any kind of code quality, it will only
guarantee "this comes from the real GNU ELPA".  So the signing key will
be a "GNU ELPA" key.

> `archive-contents' (will its format change?);

Yes and no: each entry in it will have one more optional field
containing the signature.  AFAIK it should be backward compatible, so
it's a change, but will still work with older package.el.


        Stefan

[Prev in Thread]

Current Thread

[Next in Thread]

Re: ELPA security, (continued)

Prev by Date: Re: OS X / nextstep port: Loss of keyboard events
Next by Date: Re: Change in rmail-insert-mime-forwarded-message
Previous by thread: Re: ELPA security
Next by thread: Re: ELPA security
Index(es):
- Date
- Thread