Re: Proposal to include obligatory PGP verification of packages from any repository

[Jean Louis]

* Stefan Monnier <monnier@iro.umontreal.ca> [2020-10-23 17:52]:
> > I meant to make it as a rule to sign packages, and that is should be
> > default in Emacs to accept only sign packages, that increases level of
> > security rather than leaving it acceptable for users to get unsigned
> > packages. It is definitely now everything about security, yet it is
> > one level.
> 
> IOW, you're just restating in other words your request to change
> `package-check-signature` to t?

Yes.

> > My purpose was to tell you that if Emacs developers allow non-SSL by
> > default that users are automatically put at certain risks and that is
> > better to ask for SSL by default.
> 
> And here you're suggesting that the default value of `package-archives`
> should always use `https` regardless of the `gnutls-available-p`?

I understand from that statement that probably not every platform will
have gnutls or whatever other solution. Let me mention that in some
countries governments forbid usage of various networks and software,
also encryption software, in particular I have a friend in
Iran and I know what can happen to a person. And networks are spied
over. This means in particular that misunderstanding or usage of
encryption tools could lead to unjust arrests and broken
families. Loading some packages from Emacs could automatically trigger
spying governments to abuse their citizens.

Reference:
https://security.stackexchange.com/questions/10992/encryption-laws-in-iran

There are other similar cases easy to find on search engines.

Now if that cannot be made default, then every non-SSL connection
should give serious warning to a user and should even ask user if one
wants to connect or not, because it is non-SSL. Such warning should
give good reference that data is visible on network and prone to Big
Brother's eyes.

> > Packages are meant to be distributable as well, if they are signed,
> > signature should be also fetched, but that is probably not original
> > design of Emacs. In my opinion, it should be. Signatures should be
> > inside of the package directory,
> > ~/emcas.d/elpa/package-0.0/file.el.gpg
> 
> This makes way too many assumptions to be worth discussing, IMO.
> For the case of "single file ELPA package" (i.e. those files
> distributed as a single .el file) maybe that can work without too much
> trouble (tho there's still the issue of trusting the accompanying .elc
> file), but for the more common packages distributed as tarballs, I think
> this is completely impractical.

Maybe tar can be signed as such?

> A saner approach might be to keep a "cache" of the packages in their
> original (not-installed) form and make that available as a "local ELPA
> archive" from which you can redistribute those packages to
> other machines.

Yes. For me is no problem. I speak for wide user base. Ability for
each ELPA to download full set of packages and keep it as local ELPA
would be convenient for many users who do not have stable Internet.

-- 
Jean Louis