From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Glenn Morris Newsgroups: gmane.emacs.bugs Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed Date: Mon, 23 Jun 2014 14:12:49 -0400 Message-ID: References: <87tx89ffax.fsf@pellet.i-did-not-set--mail-host-address--so-tickle-me> <2vvbsnrgpk.fsf@fencepost.gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1403547192 1817 80.91.229.3 (23 Jun 2014 18:13:12 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 23 Jun 2014 18:13:12 +0000 (UTC) Cc: 17625@debbugs.gnu.org To: Stefan Monnier Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Jun 23 20:13:07 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Wz8jq-0005CP-Eg for geb-bug-gnu-emacs@m.gmane.org; Mon, 23 Jun 2014 20:13:06 +0200 Original-Received: from localhost ([::1]:55328 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Wz8jq-0000Aa-1F for geb-bug-gnu-emacs@m.gmane.org; Mon, 23 Jun 2014 14:13:06 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49102) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Wz8jm-00009V-Qr for bug-gnu-emacs@gnu.org; Mon, 23 Jun 2014 14:13:03 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Wz8jm-0001To-1m for bug-gnu-emacs@gnu.org; Mon, 23 Jun 2014 14:13:02 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:39133) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Wz8jl-0001Tk-VH for bug-gnu-emacs@gnu.org; Mon, 23 Jun 2014 14:13:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Wz8jl-0005wt-Mu for bug-gnu-emacs@gnu.org; Mon, 23 Jun 2014 14:13:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 23 Jun 2014 18:13:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17625 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 17625-submit@debbugs.gnu.org id=B17625.140354718022860 (code B ref 17625); Mon, 23 Jun 2014 18:13:01 +0000 Original-Received: (at 17625) by debbugs.gnu.org; 23 Jun 2014 18:13:00 +0000 Original-Received: from localhost ([127.0.0.1]:58515 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Wz8jg-0005wa-DB for submit@debbugs.gnu.org; Mon, 23 Jun 2014 14:13:00 -0400 Original-Received: from fencepost.gnu.org ([208.118.235.10]:38277 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Wz8jb-0005wH-5k for 17625@debbugs.gnu.org; Mon, 23 Jun 2014 14:12:55 -0400 Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1Wz8ja-0002ay-4k; Mon, 23 Jun 2014 14:12:50 -0400 X-Spook: chameleon man colonel MD2 kilderkin Ceridian Aladdin X-Ran: sFyiGAehe6GwW^l0^es-,8uxc)HcvFdE-|Z;XWS,_D6)Ko&S@3[`!dhk&Q8G)rLAvf"g`V X-Hue: magenta X-Attribution: GM In-Reply-To: (Glenn Morris's message of "Mon, 23 Jun 2014 12:01:14 -0400") User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:90704 Archived-At: PS I won't pretend to know what I am talking about here, but I worry that the combination of automated package signing and automated key installation will make this package-signing feature not worth very much in practice. Eg if clients automatically (even with prompting) install public keys from the package server the first time they connect, then this leaves zero protection against a man-in-the-middle attack. I connect to something that says it is elpa.gnu.org and install the key it offers. I have no way to know if it really is elpa.gnu.org. (With elpa.gnu.org we should distribute the public key in the Emacs etc/ directory.)