From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.bugs Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed Date: Sat, 31 May 2014 20:58:13 -0400 Message-ID: References: <87tx89ffax.fsf@pellet.i-did-not-set--mail-host-address--so-tickle-me> <2vvbsnrgpk.fsf@fencepost.gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1401584366 20874 80.91.229.3 (1 Jun 2014 00:59:26 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 1 Jun 2014 00:59:26 +0000 (UTC) Cc: Eric Abrahamsen , 17625@debbugs.gnu.org To: Glenn Morris Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Jun 01 02:59:20 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Wqu7J-0006G1-Pg for geb-bug-gnu-emacs@m.gmane.org; Sun, 01 Jun 2014 02:59:17 +0200 Original-Received: from localhost ([::1]:33402 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Wqu7J-0001rA-29 for geb-bug-gnu-emacs@m.gmane.org; Sat, 31 May 2014 20:59:17 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33293) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Wqu7A-0001pN-NN for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 20:59:14 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Wqu74-0001VK-Qm for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 20:59:08 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:40374) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Wqu74-0001VF-NZ for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 20:59:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Wqu73-00022f-VU for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 20:59:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Monnier Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 01 Jun 2014 00:59:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17625 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 17625-submit@debbugs.gnu.org id=B17625.14015843047785 (code B ref 17625); Sun, 01 Jun 2014 00:59:01 +0000 Original-Received: (at 17625) by debbugs.gnu.org; 1 Jun 2014 00:58:24 +0000 Original-Received: from localhost ([127.0.0.1]:39251 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Wqu6R-00021U-Qv for submit@debbugs.gnu.org; Sat, 31 May 2014 20:58:24 -0400 Original-Received: from ironport2-out.teksavvy.com ([206.248.154.181]:30317) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Wqu6O-000218-6x for 17625@debbugs.gnu.org; Sat, 31 May 2014 20:58:20 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ArYGAIDvNVPO+IOj/2dsb2JhbABZgwY7gw/APYEXF3SCJQEBAQECAVYjBQsLDiYSFBgNJIgECNIZF456B4Q4AQOaAYs7g12BaoFxgVsh X-IPAS-Result: ArYGAIDvNVPO+IOj/2dsb2JhbABZgwY7gw/APYEXF3SCJQEBAQECAVYjBQsLDiYSFBgNJIgECNIZF456B4Q4AQOaAYs7g12BaoFxgVsh X-IronPort-AV: E=Sophos;i="4.97,753,1389762000"; d="scan'208";a="65207075" Original-Received: from 206-248-131-163.dsl.teksavvy.com (HELO fmsmemgm.homelinux.net) ([206.248.131.163]) by ironport2-out.teksavvy.com with ESMTP/TLS/ADH-AES256-SHA; 31 May 2014 20:58:13 -0400 Original-Received: by fmsmemgm.homelinux.net (Postfix, from userid 20848) id B6CCFAE6C3; Sat, 31 May 2014 20:58:13 -0400 (EDT) In-Reply-To: (Glenn Morris's message of "Sat, 31 May 2014 17:28:16 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:89832 Archived-At: >> AFAIK we currently use http://elpa.gnu.org/packages/, so no SSL >> involved. > Right. Will it Just Work to change that to https? That would make libgnutls indispensable, and would also require us getting the cert-verification working correctly. Nothing significantly more troublesome than requiring users to have GPG installed and have the ELPA key in the keyring. And of course we'd need to make sure the "fallback to no checking" works when gnutls/gpg is not available. >> I don't enough about SSL certs to be sure whether it would provide >> comparable guarantees to signed packages. > I think SSL would verify that you are talking to the server that you > thought you were talking too, Right. > and that no-one had injected anything in between you and it. Presumably, yes. > Which is all that gpg-signed packages would do, if the machine that > hosts the packages also does the signing (AFAICS). Of course, there are also hypothetical situations, such as someone setting up a mirror. Stefan