From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Jean Louis <bugs@gnu.support>
Newsgroups: gmane.emacs.devel
Subject: Re: Proposal to include obligatory PGP verification of packages from
 any repository
Date: Mon, 19 Oct 2020 19:38:27 +0300
Message-ID: <20201019163827.GG19325@protected.rcdrun.com>
References: <E1kSBNK-0004re-Px@fencepost.gnu.org>
 <20201013052736.GE31408@protected.rcdrun.com>
 <E1kTGtX-0003Kz-FY@fencepost.gnu.org>
 <20201016130235.06218dae@argon>
 <E1kU01C-0008NN-FQ@fencepost.gnu.org> <87eelvplvh.fsf@posteo.net>
 <E1kUM9e-0005Kf-K7@fencepost.gnu.org>
 <10bdf4ea-e365-cc3d-ec03-4348946fadbe@yandex.ru>
 <20201019124335.GC19325@protected.rcdrun.com>
 <CADwFkmkRcDJr4PWxM9_VcGBngXUseNgmJGz0MWQyg0wOMO5opw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="23694"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Mutt/1.10.1 (2018-07-13)
Cc: "Philip K." <philipk@posteo.net>, rms@gnu.org, thibaut.verron@gmail.com,
 mve1@runbox.com, emacs-devel@gnu.org, Dmitry Gutov <dgutov@yandex.ru>
To: Stefan Kangas <stefankangas@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Oct 19 18:44:42 2020
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1kUYH3-00062L-Vj
	for ged-emacs-devel@m.gmane-mx.org; Mon, 19 Oct 2020 18:44:41 +0200
Original-Received: from localhost ([::1]:57974 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1kUYH3-000204-1v
	for ged-emacs-devel@m.gmane-mx.org; Mon, 19 Oct 2020 12:44:41 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:34802)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bugs@gnu.support>) id 1kUYB9-00032E-HT
 for emacs-devel@gnu.org; Mon, 19 Oct 2020 12:38:36 -0400
Original-Received: from static.rcdrun.com ([95.85.24.50]:55401)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bugs@gnu.support>)
 id 1kUYB7-0006Me-5q; Mon, 19 Oct 2020 12:38:35 -0400
Original-Received: from localhost ([::ffff:41.202.241.51])
 (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384)
 by static.rcdrun.com with ESMTPSA
 id 00000000002A0BF2.000000005F8DC106.00000266; Mon, 19 Oct 2020 16:38:30 +0000
Content-Disposition: inline
In-Reply-To: <CADwFkmkRcDJr4PWxM9_VcGBngXUseNgmJGz0MWQyg0wOMO5opw@mail.gmail.com>
Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support;
 helo=static.rcdrun.com
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/19 12:25:27
X-ACL-Warn: Detected OS   = Linux 3.11 and newer [fuzzy]
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:258131
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/258131>

* Stefan Kangas <stefankangas@gmail.com> [2020-10-19 18:55]:
> We have signing of packages on the package archive side that is verified
> by default when it exists.  See `package-check-signature'.  (If I'm not
> mistaken, GNU ELPA signs packages but MELPA doesn't.  Please correct me
> if I'm wrong.)

Now I know about that. It was allow-unsigned as default, correct me if
mistaken. The more packages there are around, the more this becomes
potential problem, it is security hole, as warnings about potential
problems are too few.

Now when I turned it on, I cannot see or feel that some package was
verified, I tried installing from ELPA, but did not see any
difference, and cannot find any .sig files.

It would be good for user to get those verifications, as verification
should be doable personally.

Package signing is not ultimate security, it is just one level making
packages more secure.

> Note that package signatures still leaves us open to replay attacks.
> See Bug#19479 and the branch scratch/package-security for an attempt to
> improve the situation.

> I think it would be useful if package archives could implement a
> requirement for signed commits before building a new package.  This
> could be optional or mandatory, and would buy us an additional layer of
> protection against compromised developer credentials.

I have seen there apparently good recommendation for improvement of
package security.

But we do not have it.