[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposal to include obligatory PGP verification of packages from any
From: |
Stefan Monnier |
Subject: |
Re: Proposal to include obligatory PGP verification of packages from any repository |
Date: |
Mon, 19 Oct 2020 16:17:55 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) |
> I would rather expect message shown, just as it is not shown for
> unsigned packages.
`package.el` should emit a message when installing a package without any
signature, since that's the odd and undesirable case. I find it
perfectly normal not to say anything when the signature check succeeded.
> Regarding packages in GNU ELPA, can I now assume they are all signed?
Of course. It's been that way since Emacs-24.4, IIRC.
> Is there a policy that GNU ELPA packages should be signed?
Not sure what that would mean: *we* sign it, so there's no policy to
enforce. At most there are bugs to fix if the sigs are missing
or incorrect.
> What I expect is a method for user to easily verify and know by which
> key was which package signed, such function should exist.
What does Debian do in this respect?
> I also expect that such verification should be by default, but default
> was to accept unsigned, which is security issue in Emacs.
2 reasons:
- the sig-checking code (i.e. PGP) might not be installed and we did
not want to add it as a prerequisite.
- the signature system was introduced relatively shortly before it was
deployed for Emacs-24.4, so we did not want to break it for the other
ELPA archives.
Regarding the second point, AFAICT Melpa still doesn't sign its
packages, so its users presumably rely on `https` as their only line
of defense. One of the main reasons might be that there is/was no easy
way to add other trusted keys to Emacs's keyring (tho the
`gnu-elpa-keyring-update` shows it can be done) so even if they signed
their packages their users would have to take some extra step to add
their key to the trusted keys.
Stefan
- Re: Proposal for an Emacs User Survey, (continued)
- Re: Proposal for an Emacs User Survey, Philip K., 2020/10/18
- Re: Proposal for an Emacs User Survey, Richard Stallman, 2020/10/18
- Re: Proposal for an Emacs User Survey, Dmitry Gutov, 2020/10/19
- Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Kangas, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository,
Stefan Monnier <=
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Message not available
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/22
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/22
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/24
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/24
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Kangas, 2020/10/19