[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposal to include obligatory PGP verification of packages from any
|
From: |
Stefan Monnier |
|
Subject: |
Re: Proposal to include obligatory PGP verification of packages from any repository |
|
Date: |
Thu, 22 Oct 2020 17:25:21 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) |
>> >> > Is there a policy that GNU ELPA packages should be signed?
>> >> Not sure what that would mean: *we* sign it, so there's no policy to
>> >> enforce. At most there are bugs to fix if the sigs are missing
>> >> or incorrect.
>> > It would be good to implement the policy.
>> I don't know what that means (neither "the policy" nor "implement").
> Rules of maintenance simply said:
So by "implement" you mean: write it in the doc that describes the ELPA
protocol?
> - that every request to any ELPA goes over SSL connection, to totally
> disable non-SSL connections to archives. Many countries spy on their
> citizens, and in many of those countries citizens are using
> encryption features, even it could be illegal to use encryption. By
> using non-SSL connection or allowing such, possibility is there that
> user get in danger of life.
The part I don't understand here is "or allowing such". I see the
danger of using a non-encrypted connection but not the danger of
allowing such.
>> >> > What I expect is a method for user to easily verify and know by which
>> >> > key was which package signed, such function should exist.
>> >> What does Debian do in this respect?
>> > There are ways to verify package authenticity,
>> How? What does "package authenticity" mean?
>> Do you get to see which key signed which package?
> I skip this, I am sure you know it.
No, I don't, that's why I asked. More specifically, from where I sit,
I don't see much difference between the way Debian does it and the way
GNU ELPA does it. And as a Debian user I don't know how to "easily
verify" nor "know by which key".
>> > Vasilij pointed out how it should be done. Verifications in Debian or
>> > Archlinux how I see it, happen in real time during installation and
>> > that is by default.
>> Right, just as we do with GNU ELPA, AFAICT.
> It is not by default surprisingly to me.
It is by default in my book.
> I had to turn on the option to have packages verified for signatures.
I think those users who posted questions about signature verification
failures back when we changed to a new key are evidence to the contrary.
>> The problem is not to create signatures (which we do on our own machines
>> where we can easily make sure PGP is installed) but to verify them.
> Maybe gnutls offers that API, I cannot know technically, I could see
> the API is there.
Patch welcome (as long as it doesn't end up reimplementing part of GPG).
Stefan
- Proposal to include obligatory PGP verification of packages from any repository, (continued)
- Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Kangas, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Message not available
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/22
- Re: Proposal to include obligatory PGP verification of packages from any repository,
Stefan Monnier <=
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/24
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/24
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Kangas, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Vasilij Schneidermann, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Vasilij Schneidermann, 2020/10/19