From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Glenn Morris Newsgroups: gmane.emacs.bugs Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed Date: Sat, 31 May 2014 13:42:27 -0400 Message-ID: References: <87tx89ffax.fsf@pellet.i-did-not-set--mail-host-address--so-tickle-me> <2vvbsnrgpk.fsf@fencepost.gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1401558197 27168 80.91.229.3 (31 May 2014 17:43:17 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 31 May 2014 17:43:17 +0000 (UTC) Cc: Eric Abrahamsen , 17625@debbugs.gnu.org To: Stefan Monnier Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat May 31 19:43:11 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1WqnJH-0000nk-63 for geb-bug-gnu-emacs@m.gmane.org; Sat, 31 May 2014 19:43:11 +0200 Original-Received: from localhost ([::1]:60712 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WqnJG-0005HX-AJ for geb-bug-gnu-emacs@m.gmane.org; Sat, 31 May 2014 13:43:10 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48935) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WqnJC-0005CQ-Np for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 13:43:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WqnJ8-0006eT-TP for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 13:43:06 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:40241) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WqnJ8-0006eO-QC for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 13:43:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1WqnJ8-0004C2-4S for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 13:43:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 31 May 2014 17:43:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17625 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 17625-submit@debbugs.gnu.org id=B17625.140155815216077 (code B ref 17625); Sat, 31 May 2014 17:43:02 +0000 Original-Received: (at 17625) by debbugs.gnu.org; 31 May 2014 17:42:32 +0000 Original-Received: from localhost ([127.0.0.1]:39118 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WqnId-0004BE-Md for submit@debbugs.gnu.org; Sat, 31 May 2014 13:42:32 -0400 Original-Received: from fencepost.gnu.org ([208.118.235.10]:42540 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WqnIb-0004B6-2r for 17625@debbugs.gnu.org; Sat, 31 May 2014 13:42:30 -0400 Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1WqnIa-00024U-0e; Sat, 31 May 2014 13:42:28 -0400 X-Spook: Compsec SEAL Team 6 Fortezza AIEWS Consul enforcers AVN X-Ran: ^Q^bN7$IuL<6u=fbG#1062[8xd5uF^9SUf;G>j5KfB-(L_(FhD%TD (Stefan Monnier's message of "Fri, 30 May 2014 12:28:46 -0400") User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:89818 Archived-At: Thinking about it, I don't see how this is supposed to work. People don't upload tarfiles to elpa.gnu.org. They check code into Savannah, then elpa.gnu.org automatically checks it out and makes tarfiles. So any signing could only happen on elpa.gnu.org, automatically. So if someone hacks elpa.gnu.org, they can hack the signing process too. So all signing does AFAICS is protect against a man-in-the-middle attack where someone impersonates elpa.gnu.org. Which the use of ssl certs should already protect against?