From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Tue, 08 Jan 2013 16:30:52 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <871udvcqgj.fsf@lifelogs.com> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com> <87zk0ljaub.fsf@lifelogs.com> <87wqvng299.fsf@lifelogs.com> <87ehhveg4s.fsf@lifelogs.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1357680679 3844 80.91.229.3 (8 Jan 2013 21:31:19 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 8 Jan 2013 21:31:19 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Jan 08 22:31:35 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Tsglf-00008b-4B for ged-emacs-devel@m.gmane.org; Tue, 08 Jan 2013 22:31:31 +0100 Original-Received: from localhost ([::1]:34888 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TsglP-0001R7-Gw for ged-emacs-devel@m.gmane.org; Tue, 08 Jan 2013 16:31:15 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:37480) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TsglL-0001QF-R9 for emacs-devel@gnu.org; Tue, 08 Jan 2013 16:31:13 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TsglK-0006TQ-94 for emacs-devel@gnu.org; Tue, 08 Jan 2013 16:31:11 -0500 Original-Received: from plane.gmane.org ([80.91.229.3]:43563) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TsglK-0006TK-2S for emacs-devel@gnu.org; Tue, 08 Jan 2013 16:31:10 -0500 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1TsglS-0008K5-EH for emacs-devel@gnu.org; Tue, 08 Jan 2013 22:31:18 +0100 Original-Received: from c-65-96-148-157.hsd1.ma.comcast.net ([65.96.148.157]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 08 Jan 2013 22:31:18 +0100 Original-Received: from tzz by c-65-96-148-157.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 08 Jan 2013 22:31:18 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 50 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-65-96-148-157.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:kqAgTkzvVIkckc54VeVIA33Dkyk= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156164 Archived-At: On Tue, 08 Jan 2013 15:50:42 -0500 Stefan Monnier wrote: >> 1) sign `archive-contents' in the cron job when it's generated into >> `archive-contents.gpgsig' with the GNU ELPA maintainer key. SM> Not sure this needs to be signed. But if you want to do it, that's fine. I guess there's no need, so OK, no signing of `archive-contents'. >> 3.1) If GPG is not available and the ELPA archive is to be verified, we >> prompt the user to override it once or abort. They won't be allowed to >> override it permanently from the prompt--they have to `M-x >> customize-variable' to do it. The prompt will be scary. SM> I don't see a strong need to be scary here. Just ask the user something SM> like "Can't verify package signature; continue? (y/n)". OK. >> 5) The GNU ELPA maintainer key will be shipped with the Emacs package.el. >> Does all of that sound good? SM> I do wonder about key management, tho: the GNU ELPA key (note: not SM> "maintainer" because the key does not belong to any human being) SM> will not last for ever. I thought the maintainers would have their own keys, and they would sign a GNU ELPA "signing subkey" that's only used for releasing. SM> We don't have to figure out all the details now, but it would be SM> good to make sure that when the key needs to be replaced, we can do SM> so without too much trouble. Debian has good docs on this: http://www.debian-administration.org/article/450/Generating_a_revocation_certificate_with_gpg http://www.debian-administration.org/article/451/Submitting_your_GPG_key_to_a_keyserver http://www.debian-administration.org/article/452/Using_gnupg-agent_to_securely_retain_keys ...and the GPG handbook talks about these topics as well: http://www.gnupg.org/gph/en/manual.html#AEN385 http://www.gnupg.org/gph/en/manual.html#AEN464 http://www.gnupg.org/gph/en/manual.html#AEN526 Take a look. I think a signing subkey will work, but will let you judge. If you think this is workable, I'll start on the code and put together a POC. Ted