Re: Security issues in Emacs packages

[Greg Minshall]

Tim,

> It could, but to get that level of assurance, you not only have to
> verify the signature is valid (something which is automated if
> enabled), you also need to verify that both packages have the exact
> same signature, which is pretty much a manual process. So in addition
> to telling you the version number, George would also need to
> communicate the signature and that would need to be compared to the
> signature you have in the package you downloaded to know that the
> packages are in fact the same (you cannot rely on version numbers for
> any real verification).

if MELPA's release procedure prevented two separate releases of version
1.2.3 of package xYandZ from being released, wouldn't that obviate the
requirement for George to give me signatures?  that was my thought as to
why a signed (MELPA, version number, package name) would be enough.
(i've no idea if MELPA's procedures would actually conform to my
"requirement".)

cheers, Greg