From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Monnier via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions Date: Mon, 09 Oct 2023 17:52:34 -0400 Message-ID: References: Reply-To: Stefan Monnier Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="21568"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: 66414@debbugs.gnu.org, philipk@posteo.net, yantar92@posteo.net To: Stefan Kangas Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Oct 09 23:54:08 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qpyCW-0005Mi-5J for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 09 Oct 2023 23:54:08 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qpyC7-0000cY-Dc; Mon, 09 Oct 2023 17:53:43 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qpyC6-0000cB-1S for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 17:53:42 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qpyC5-0006J4-Pd for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 17:53:41 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qpyCP-0000aw-TO for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 17:54:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Monnier Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 09 Oct 2023 21:54:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66414 X-GNU-PR-Package: emacs Original-Received: via spool by 66414-submit@debbugs.gnu.org id=B66414.16968883962217 (code B ref 66414); Mon, 09 Oct 2023 21:54:01 +0000 Original-Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 21:53:16 +0000 Original-Received: from localhost ([127.0.0.1]:33625 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpyBd-0000Zf-Fw for submit@debbugs.gnu.org; Mon, 09 Oct 2023 17:53:16 -0400 Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:21972) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpyBY-0000ZF-4M for 66414@debbugs.gnu.org; Mon, 09 Oct 2023 17:53:12 -0400 Original-Received: from pmg3.iro.umontreal.ca (localhost [127.0.0.1]) by pmg3.iro.umontreal.ca (Proxmox) with ESMTP id 6FF0A444354; Mon, 9 Oct 2023 17:52:41 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca; s=mail; t=1696888355; bh=FrP5fu+ldtTA0yiLtA9A5acglPg1iAP17bjI9EFUPAw=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=Kud3B7DpW4xa23VQPUmydHQmyAn316j3QWb1YRkjMU7X6LenbnTKMLe86Sy4I8AcT M+PDLOGQlv9Cos20AEWlN7Zt0GbknyBSjv+j0Mn0/hvoPavNBZFItLA2eCFiQ38uWw UHwgtFBXQF2VL9qYFqSpSlAZXlsmZBq07u2KnLAKWC6xOLuCefFCd6Ag6p6hkafKVg bbzD7ML2VrUxjuSSm2iwvNdat7aqoS2M2q4CcNOhiv7VaBVPvD2vBwoZZ8AwH2Valw VRs8g04tLcCh96O2yq5srRjiManXhbezrMfDsIj7oqticCY/Gvv7KVgq6jx96mTsvj qosqg1nqVzg2w== Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1]) by pmg3.iro.umontreal.ca (Proxmox) with ESMTP id A5D15444347; Mon, 9 Oct 2023 17:52:35 -0400 (EDT) Original-Received: from pastel (unknown [216.154.28.175]) by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 744381202A2; Mon, 9 Oct 2023 17:52:35 -0400 (EDT) In-Reply-To: (Stefan Kangas's message of "Mon, 9 Oct 2023 07:15:47 +0000") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:272175 Archived-At: > I propose optionally releasing a new version of packages on > NonGNU/GNU ELPA only if there is a valid PGP signature. We can't make > it mandatory, at the very least not initially, because it would break > too many existing workflows. No objection on my side. The first step would presumably be to change the synchronization scripts (the ones run by `elpasync` on `elpa.gnu.org`) so as to propagate upstream tags to `elpa.git`. The (Non)GNU ELPA tarballs are built from `elpa.git` and `nongnu.git`, not from the upstream repositories, and currently those do not contain upstream tags. And since those repos contain many packages, the upstream tags need to be renamed or moved to a different namespace to avoid conflicts between tag names in different packages. After that, we need to add the feature to be able to build releases from tags rather than from "the commit where `Version:` was changed". And after that, we can add a feature that checks that the tags are signed (and that the signature is valid and made by the appropriate persons/keys). Stefan