Re: ELPA security

[Ted Zlatanov]

On Tue, 08 Jan 2013 11:57:56 -0500 Stefan Monnier <address@hidden> wrote: 

>> OK, so the package vector will have a new element.  Releasing a package
>> will require releasing a new `archive-contents' with an updated
>> signature for that package and re-signing it with the "GNU ELPA"
>> maintainer key.

SM> The `archive-contents' file is re-created afresh every day via a cron-job.

SM> So maybe it's better to keep the signatures in a separate file, next
SM> to the signed file (e.g. have foo.tar and foo.tar.gpgsig).

I think that answers all the questions I had.  To summarize:

1) sign `archive-contents' in the cron job when it's generated into
`archive-contents.gpgsig' with the GNU ELPA maintainer key.

2) every package release foo.{el,tar} will have an optional
foo.{el,tar}.gpgsig also signed with the GNU ELPA maintainer key.

3) package.el will optionally test the signatures by calling GPG
externally.  We'll turn that on for the GNU ELPA archive "gnu", but
other repos won't require it.  Maybe `package-archives-signed' can be a
new list of ELPA archives to be verified, by default `("gnu")', or the
format of `package-archives' can change.

3.1) If GPG is not available and the ELPA archive is to be verified, we
prompt the user to override it once or abort.  They won't be allowed to
override it permanently from the prompt--they have to `M-x
customize-variable' to do it.  The prompt will be scary.

4) If the signature checks fail, the user will be prompted to allow it
once or abort.  They won't be allowed to override it permanently from
the prompt--they have to `M-x customize-variable' to do it.  The prompt
will be scary.

5) The GNU ELPA maintainer key will be shipped with the Emacs package.el.

Does all of that sound good?

Ted