From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.bugs Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed Date: Tue, 30 Sep 2014 07:02:51 -0400 Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos Message-ID: <87h9zp5q1w.fsf@lifelogs.com> References: <87tx89ffax.fsf@pellet.i-did-not-set--mail-host-address--so-tickle-me> <2vvbsnrgpk.fsf@fencepost.gnu.org> <87mwczagnm.fsf@lifelogs.com> <87ionna453.fsf@lifelogs.com> <87egyb9ns6.fsf@lifelogs.com> <87fvfahrq5.fsf@lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1412075011 17923 80.91.229.3 (30 Sep 2014 11:03:31 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 30 Sep 2014 11:03:31 +0000 (UTC) Cc: 17625@debbugs.gnu.org To: Stefan Monnier Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Sep 30 13:03:25 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XYvDG-0005w5-SC for geb-bug-gnu-emacs@m.gmane.org; Tue, 30 Sep 2014 13:03:23 +0200 Original-Received: from localhost ([::1]:42398 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYvDG-0005sY-Cw for geb-bug-gnu-emacs@m.gmane.org; Tue, 30 Sep 2014 07:03:22 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:47921) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYvD7-0005jg-T9 for bug-gnu-emacs@gnu.org; Tue, 30 Sep 2014 07:03:19 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XYvD2-00081T-Nu for bug-gnu-emacs@gnu.org; Tue, 30 Sep 2014 07:03:13 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:36110) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYvD2-0007z8-Gw for bug-gnu-emacs@gnu.org; Tue, 30 Sep 2014 07:03:08 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1XYvCw-0005ad-RJ for bug-gnu-emacs@gnu.org; Tue, 30 Sep 2014 07:03:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Ted Zlatanov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 30 Sep 2014 11:03:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17625 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 17625-submit@debbugs.gnu.org id=B17625.141207493521388 (code B ref 17625); Tue, 30 Sep 2014 11:03:02 +0000 Original-Received: (at 17625) by debbugs.gnu.org; 30 Sep 2014 11:02:15 +0000 Original-Received: from localhost ([127.0.0.1]:55907 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XYvCA-0005Ys-Ug for submit@debbugs.gnu.org; Tue, 30 Sep 2014 07:02:15 -0400 Original-Received: from mail-qg0-f53.google.com ([209.85.192.53]:50570) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XYvC8-0005Yh-BU for 17625@debbugs.gnu.org; Tue, 30 Sep 2014 07:02:13 -0400 Original-Received: by mail-qg0-f53.google.com with SMTP id a108so2080393qge.26 for <17625@debbugs.gnu.org>; Tue, 30 Sep 2014 04:02:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=AesgtVrOE5ppdtK2fqw6iHmH3BvP2oVnqyV1ExtLAMc=; b=EGG7KvLjQJ86i52cgutPX8hDyQPa8QfItp3WG8Jx3W+jaTPS5tpYoVBgjUYceaxTbk yHg5Zsf+5zFQoNkIurMtNhk3+wU3qKpc/BqQLc3JuE2pb9T8PUUsWwHkRje+GIiwXMD3 VzLy7xQgfijV2mb8cLXRSvHkTubuuRkJ2kKlU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=AesgtVrOE5ppdtK2fqw6iHmH3BvP2oVnqyV1ExtLAMc=; b=k5IPe76Fn4BZWjC9A5hEv/afExIzGV1756sKgJzKEzMIztA88aWPWhRcupU1vwEMqz AAOotb+upkgx1Nc1Zddr6PwqxyqILdymIugOVl4o45cACiHOC50mFQtzF2p4vmbz+Ua4 omq+j5X72foBLeGnQyMzioC30XNHQtnK4dX1/nT4YdAuEM7RZ6G87Xh4zmGRJa6lvKup gzakUPus1nROvHcNi+N/Kt/uzR2AQuujiBAWjkNQ2GgfKvZWacNWtq8s+IJDIoJKGWNJ nzCqjKNcFhGcUYmXZ038Gqhwz0tsY1Bicsw7wc9epa/j4Y8Edcc+8CIaqFkah1LymU3Q IjtQ== X-Gm-Message-State: ALoCoQmmUGngKwv2gwThXFE1tKZ3nQZqA8KNU2/XhoZKaNsY7Pef5jbbSjyZcGKyitH3k61WSY9M X-Received: by 10.224.172.65 with SMTP id k1mr35966022qaz.2.1412074931415; Tue, 30 Sep 2014 04:02:11 -0700 (PDT) Original-Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id e19sm6443040qaq.31.2014.09.30.04.02.10 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 30 Sep 2014 04:02:10 -0700 (PDT) X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes In-Reply-To: (Stefan Monnier's message of "Mon, 29 Sep 2014 23:55:00 -0400") User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/25.0.50 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:93905 Archived-At: On Mon, 29 Sep 2014 23:55:00 -0400 Stefan Monnier wrote: >> @c Uncomment this if it becomes true. >> @ignore >> The public key for the GNU package archive is distributed with Emacs, >> in the @file{etc/package-keyring.gpg}. Emacs uses it automatically. >> @end ignore >> The ELPA maintainer public key .gpg file is needed. Right now I can't >> find it so I can't actually verify any packages. Am I missing something? SM> It's in the file described in the (commented out) doc you cited above. SM> You are tracking emacs-24 to help us with the pretest, right? I am, but looked in the trunk for this file. I didn't expect you'd put the keyring only in the emacs-24 branch. Why keep it out of trunk? Users there won't know to look in emacs-24. >> Are there docs on the signing process? I don't see anything in the ELPA >> repository under admin. >> I also think that we should set `package-check-signature` aggressively >> if we can verify a basic signature verification. SM> For now my main concern is to make sure GNU ELPA can still be accessed SM> by users of 24.4, and that they *can* check the signature if they so wish. It can, but they can't verify the signature as a separate operation. They have to attempt an install. That's why I suggested the "Verify" button. The whole thing is hard to set up for a new user, so we need docs on that, especially covering the initial import and a small GnuPG primer so the user understands what's going on. Would you like me to write them? >> I am attaching a small patch to provide a "Verify" button in the package >> description, so the user doesn't have to try install the package to find >> out if it's signed. If you agree, I can commit it. SM> I can't imagine why a user would want to check if a package is signed. SM> All GNU ELPA packages are signed, and I hope that soon all ELPA packages SM> will be signed. Verifying the signature is currently only possible as part of the installation. Yet the verification on installation can only be controlled with a single variable, which lets you either check all, or allow installing unsigned packages. I'm trying to cover the case where the users wants to allow installing unsigned packages, but still wants to verify an individual package's signature beforehand. As the number of package archives grows, I think that will be useful. It's also convenient for testing whether the user has imported the maintainers' key correctly and whether their GnuPG setup is operational. Ted