From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Philip Kaludercic Newsgroups: gmane.emacs.bugs Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions Date: Mon, 09 Oct 2023 09:39:08 +0000 Message-ID: <87r0m4kudf.fsf@posteo.net> References: <871qe4maom.fsf@posteo.net> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="15510"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 66414@debbugs.gnu.org, yantar92@posteo.net, monnier@iro.umontreal.ca To: Stefan Kangas Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Oct 09 11:39:58 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qpmk2-0003fs-3N for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 09 Oct 2023 11:39:58 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qpmjn-0007Gt-53; Mon, 09 Oct 2023 05:39:43 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qpmjl-0007CM-G8 for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 05:39:41 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qpmjl-0004DU-6G for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 05:39:41 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qpmk5-0007Bw-L6 for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 05:40:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Philip Kaludercic Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 09 Oct 2023 09:40:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66414 X-GNU-PR-Package: emacs Original-Received: via spool by 66414-submit@debbugs.gnu.org id=B66414.169684437927607 (code B ref 66414); Mon, 09 Oct 2023 09:40:01 +0000 Original-Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 09:39:39 +0000 Original-Received: from localhost ([127.0.0.1]:59309 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpmji-0007BD-K7 for submit@debbugs.gnu.org; Mon, 09 Oct 2023 05:39:38 -0400 Original-Received: from mout02.posteo.de ([185.67.36.66]:49361) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpmjg-0007Az-EY for 66414@debbugs.gnu.org; Mon, 09 Oct 2023 05:39:37 -0400 Original-Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id B958E240105 for <66414@debbugs.gnu.org>; Mon, 9 Oct 2023 11:39:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1696844349; bh=ynrEDgBowzz3ynPKxc9vjLNYoo4OqlvEqjD2xoAX8Ig=; h=From:To:Cc:Subject:Autocrypt:Date:Message-ID:MIME-Version:From; b=CaJhIljWg2KPJnz4Q9jcBv0utNNmnu9ttoxoDPlxxrzB5jZN4O/xKiUYekBA7CDEx jNPgIT11ETDC61AC8NWGlOkD7rhiWBrM0k+vVpuLhTxzOqTu7wg/GvJNuwMYOE29gh Pgbk8KBQKXEPB8ISIDZdeV8CNNLHTdZAAdjcPpwDtATyapBTHNrnSKszAoFrrRV2Fg GL5vctI5JPlEdKqMTrE54ZCh/UGTcDE1hk9GvTyDQ4iLOZgAcU8FrkJdyBKQXN8RTv L2PaNhqgczIJ6wz+DcU3X8VI3U9UysjE3wixrqfemE06WndA+L3sNBw/ZZPQoN9aPQ gRpNZqrtSprOg== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4S3vB45hHFz6tvx; Mon, 9 Oct 2023 11:39:08 +0200 (CEST) In-Reply-To: (Stefan Kangas's message of "Mon, 9 Oct 2023 09:30:20 +0000") Autocrypt: addr=philipk@posteo.net; keydata= mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0 ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0 mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof z4oM X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:272135 Archived-At: Stefan Kangas writes: > Philip Kaludercic writes: > >> Stefan Kangas writes: >> >>> Severity: wishlist >>> >>> I propose optionally releasing a new version of packages on >>> NonGNU/GNU ELPA only if there is a valid PGP signature. We can't make >>> it mandatory, at the very least not initially, because it would break >>> too many existing workflows. >> >> I am not sure what the context here is, so sorry for the potentially >> stupid question, but what PGP signatures are we talking about? Are you >> suggesting that the commit should be signed? > > Yes, see the very next sentence: > >>> The standard feature to do that in git would be a signed git tag. > > Sorry for not being more clear. No, my bad. I didn't know that git tags could be signed, so I misread the sentence. One issue might be that elpa-admin.el doesn't really do anything with git tags, though I guess it should be possible to verify a remote git tag? An alternative might be to check for signed git commits, at the very least for the commits that bump the version tag. That way all the could be kept in elpa.git.