From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.bugs Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed Date: Mon, 29 Sep 2014 23:55:00 -0400 Message-ID: References: <87tx89ffax.fsf@pellet.i-did-not-set--mail-host-address--so-tickle-me> <2vvbsnrgpk.fsf@fencepost.gnu.org> <87mwczagnm.fsf@lifelogs.com> <87ionna453.fsf@lifelogs.com> <87egyb9ns6.fsf@lifelogs.com> <87fvfahrq5.fsf@lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1412049458 6234 80.91.229.3 (30 Sep 2014 03:57:38 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 30 Sep 2014 03:57:38 +0000 (UTC) To: 17625@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Sep 30 05:57:31 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XYoZ8-0005ej-JQ for geb-bug-gnu-emacs@m.gmane.org; Tue, 30 Sep 2014 05:57:30 +0200 Original-Received: from localhost ([::1]:40448 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYoZ8-0005nZ-Am for geb-bug-gnu-emacs@m.gmane.org; Mon, 29 Sep 2014 23:57:30 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56996) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYoYv-0005nK-Py for bug-gnu-emacs@gnu.org; Mon, 29 Sep 2014 23:57:27 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XYoYl-0003mr-VJ for bug-gnu-emacs@gnu.org; Mon, 29 Sep 2014 23:57:17 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:35919) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYoYl-0003m3-T9 for bug-gnu-emacs@gnu.org; Mon, 29 Sep 2014 23:57:07 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1XYoYg-0003I5-Dt for bug-gnu-emacs@gnu.org; Mon, 29 Sep 2014 23:57:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Monnier Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 30 Sep 2014 03:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17625 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.141204940412622 (code B ref -1); Tue, 30 Sep 2014 03:57:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 30 Sep 2014 03:56:44 +0000 Original-Received: from localhost ([127.0.0.1]:55716 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XYoYN-0003HV-MD for submit@debbugs.gnu.org; Mon, 29 Sep 2014 23:56:44 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:55023) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XYoYL-0003HN-3Q for submit@debbugs.gnu.org; Mon, 29 Sep 2014 23:56:41 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XYoYB-0003WS-1Y for submit@debbugs.gnu.org; Mon, 29 Sep 2014 23:56:40 -0400 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:54805) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYoYA-0003Ul-V7 for submit@debbugs.gnu.org; Mon, 29 Sep 2014 23:56:30 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56683) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYoXy-0005hL-FA for bug-gnu-emacs@gnu.org; Mon, 29 Sep 2014 23:56:25 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XYoXp-0003Rb-Fy for bug-gnu-emacs@gnu.org; Mon, 29 Sep 2014 23:56:18 -0400 Original-Received: from ironport2-out.teksavvy.com ([206.248.154.181]:32345) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYoXp-0003RE-Cg for bug-gnu-emacs@gnu.org; Mon, 29 Sep 2014 23:56:09 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ArYGAIDvNVNFxKjo/2dsb2JhbABZgwaDSr0vgw6BFxd0giUBAQEBAgFWKAsLNBIUGA2IKAjSGRePARaEIgSpGYFqgXGBWyE X-IPAS-Result: ArYGAIDvNVNFxKjo/2dsb2JhbABZgwaDSr0vgw6BFxd0giUBAQEBAgFWKAsLNBIUGA2IKAjSGRePARaEIgSpGYFqgXGBWyE X-IronPort-AV: E=Sophos;i="4.97,753,1389762000"; d="scan'208";a="91255216" Original-Received: from 69-196-168-232.dsl.teksavvy.com (HELO ceviche.home) ([69.196.168.232]) by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 29 Sep 2014 23:55:00 -0400 Original-Received: by ceviche.home (Postfix, from userid 20848) id 2D0DF66094; Mon, 29 Sep 2014 23:55:00 -0400 (EDT) In-Reply-To: <87fvfahrq5.fsf@lifelogs.com> (Ted Zlatanov's message of "Mon, 29 Sep 2014 20:33:38 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:93896 Archived-At: > @c Uncomment this if it becomes true. > @ignore > The public key for the GNU package archive is distributed with Emacs, > in the @file{etc/package-keyring.gpg}. Emacs uses it automatically. > @end ignore > The ELPA maintainer public key .gpg file is needed. Right now I can't > find it so I can't actually verify any packages. Am I missing something? It's in the file described in the (commented out) doc you cited above. You are tracking emacs-24 to help us with the pretest, right? > Are there docs on the signing process? I don't see anything in the ELPA > repository under admin. No, indeed, it's not there, because the signing is done completely separately (to hopefully try and keep the private key a bit more private). But it's a really simple makefile that looks for *.tar, *.el, and archive-contents and runs "gpg --detach-sign $<" on them. > I also think that we should set `package-check-signature` aggressively > if we can verify a basic signature verification. For now my main concern is to make sure GNU ELPA can still be accessed by users of 24.4, and that they *can* check the signature if they so wish. > I am attaching a small patch to provide a "Verify" button in the package > description, so the user doesn't have to try install the package to find > out if it's signed. If you agree, I can commit it. I can't imagine why a user would want to check if a package is signed. All GNU ELPA packages are signed, and I hope that soon all ELPA packages will be signed. Stefan