From: Ted Zlatanov <tzz@lifelogs.com>
To: Glenn Morris <rgm@gnu.org>
Cc: Eric Abrahamsen <eric@ericabrahamsen.net>, 17625@debbugs.gnu.org
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Thu, 05 Jun 2014 10:24:28 -0400 [thread overview]
Message-ID: <8738fjh1sz.fsf@lifelogs.com> (raw)
In-Reply-To: <wxbnud63kf.fsf@fencepost.gnu.org> (Glenn Morris's message of "Sat, 31 May 2014 17:28:16 -0400")
On Sat, 31 May 2014 17:28:16 -0400 Glenn Morris <rgm@gnu.org> wrote:
GM> Stefan Monnier wrote:
>> I guess we could move the archive-generation process to another machine,
GM> I won't pretend to know what I'm talking about, but I think that's the
GM> kind of thing you have to do if this is to have any real value.
I suggested to Stefan and on emacs-devel that the signing process should
be manual and after review. That's how it works for Debian, for
instance. The concern from several people was that this would be hard on
the GNU ELPA maintainers. I think it's still worth doing, especially if
the task can be delegated and contributors are required to sign their
Git commits.
GM> And for an inherently-not-very-secure environment like Emacs, is it worth it?
I think so. These packages can run arbitrary code and Emacs makes it
very easy to install them.
>> AFAIK we currently use http://elpa.gnu.org/packages/, so no SSL
>> involved.
GM> Right. Will it Just Work to change that to https?
>> I don't enough about SSL certs to be sure whether it would provide
>> comparable guarantees to signed packages.
GM> I think SSL would verify that you are talking to the server that you
GM> thought you were talking too, and that no-one had injected anything in
GM> between you and it. Which is all that gpg-signed packages would do, if
GM> the machine that hosts the packages also does the signing (AFAICS).
The file, the signature, and the GNU ELPA maintainers' public key have
to match; MITM attacks can't subvert that AFAIK.
Ted
next prev parent reply other threads:[~2014-06-05 14:24 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-29 3:13 bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed Eric Abrahamsen
2014-05-30 5:14 ` Glenn Morris
2014-05-30 16:28 ` Stefan Monnier
2014-05-31 17:42 ` Glenn Morris
2014-05-31 19:22 ` Glenn Morris
2014-05-31 20:19 ` Stefan Monnier
2014-05-31 21:28 ` Glenn Morris
2014-06-01 0:58 ` Stefan Monnier
2014-06-05 14:24 ` Ted Zlatanov [this message]
2014-06-05 6:19 ` Glenn Morris
2014-06-21 23:50 ` Glenn Morris
2014-06-22 12:30 ` Stefan Monnier
2014-06-23 16:01 ` Glenn Morris
2014-06-23 18:12 ` Glenn Morris
2014-06-23 21:21 ` Stefan Monnier
2014-06-24 5:56 ` Glenn Morris
2014-06-25 15:39 ` Stefan Monnier
2014-06-25 15:47 ` Glenn Morris
2014-06-25 16:47 ` Stefan Monnier
2014-06-25 17:21 ` Stefan Monnier
2014-06-25 21:02 ` Glenn Morris
2014-06-25 22:00 ` Stefan Monnier
2014-06-26 7:28 ` Daiki Ueno
2014-06-26 13:35 ` Stefan Monnier
2014-06-26 14:29 ` Ted Zlatanov
2014-06-26 16:50 ` Stefan Monnier
2014-06-26 18:59 ` Ted Zlatanov
2014-06-26 19:51 ` Stefan Monnier
2014-06-27 0:47 ` Daiki Ueno
2014-06-27 0:52 ` Ted Zlatanov
2014-09-24 15:05 ` Stefan Monnier
2014-09-30 0:33 ` Ted Zlatanov
2014-09-30 1:28 ` Daiki Ueno
2014-09-30 11:06 ` Ted Zlatanov
2014-09-30 3:55 ` Stefan Monnier
2014-09-30 11:02 ` Ted Zlatanov
2014-09-30 14:24 ` Eli Zaretskii
2014-09-30 18:19 ` Ted Zlatanov
2014-10-01 23:13 ` Ted Zlatanov
2014-09-30 15:46 ` Stefan Monnier
2014-06-26 13:53 ` Ted Zlatanov
2014-06-23 19:53 ` Glenn Morris
2014-05-30 7:26 ` Glenn Morris
2014-05-30 16:23 ` Stefan Monnier
2014-05-30 16:48 ` Glenn Morris
2014-05-30 17:38 ` Achim Gratz
2014-05-30 18:39 ` Stefan Monnier
2014-05-30 18:58 ` Achim Gratz
2014-05-30 19:56 ` Stefan Monnier
2017-02-17 20:46 ` bug#17645: Close Eric Abrahamsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8738fjh1sz.fsf@lifelogs.com \
--to=tzz@lifelogs.com \
--cc=17625@debbugs.gnu.org \
--cc=eric@ericabrahamsen.net \
--cc=rgm@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).