From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Mon, 31 Dec 2012 17:19:23 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <8738yl27bo.fsf@lifelogs.com> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87623i5tld.fsf@lifelogs.com> <87ehi6j943.fsf@fleche.redhat.com> <34F1279605B9404B9406960CDCF554FC@us.oracle.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1356992371 7503 80.91.229.3 (31 Dec 2012 22:19:31 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 31 Dec 2012 22:19:31 +0000 (UTC) Cc: 'Tom Tromey' , emacs-devel@gnu.org To: "Drew Adams" Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Dec 31 23:19:47 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Tpnhx-0003rT-4W for ged-emacs-devel@m.gmane.org; Mon, 31 Dec 2012 23:19:45 +0100 Original-Received: from localhost ([::1]:55070 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tpnhi-0006Wy-5c for ged-emacs-devel@m.gmane.org; Mon, 31 Dec 2012 17:19:30 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:46017) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tpnhf-0006Wi-IX for emacs-devel@gnu.org; Mon, 31 Dec 2012 17:19:28 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Tpnhd-0002QF-4J for emacs-devel@gnu.org; Mon, 31 Dec 2012 17:19:27 -0500 Original-Received: from z.lifelogs.com ([173.255.230.239]:41293) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tpnhd-0002QA-12 for emacs-devel@gnu.org; Mon, 31 Dec 2012 17:19:25 -0500 Original-Received: from heechee (c-65-96-148-157.hsd1.ma.comcast.net [65.96.148.157]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: tzz) by z.lifelogs.com (Postfix) with ESMTPSA id D793DDE0A1; Mon, 31 Dec 2012 22:19:23 +0000 (UTC) X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes In-Reply-To: <34F1279605B9404B9406960CDCF554FC@us.oracle.com> (Drew Adams's message of "Mon, 31 Dec 2012 11:57:58 -0800") User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 173.255.230.239 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156048 Archived-At: On Mon, 31 Dec 2012 11:57:58 -0800 "Drew Adams" wrote: Ted> add DVCS support to package.el, supporting Git and Ted> Bazaar, with the notion of "pull packages from repo X Ted> at tag/commit Y" in addition to the current "pull packages Ted> from URLs". The VC package has to be involved Ted> here, instead of writing custom code. >> >> What is the reason for this? >> >> FWIW, I considered and rejected this approach when writing package.el. >> My reason was that I wanted packaging not to require any >> external tools, so it would be available to all Emacs users. >> Also, KISS. >> >> Mixing in VC seems to add a lot of potential failure modes. DA> If Emacs Dev really wants to do this, why not separate it from package.el and DA> make its use optional? The intent is to have securely authenticated packagess from the GNU ELPA by default. Making the mechanism optional would defeat that plan. But it should be easy to override and put in "warn-only" or "I don't care" modes, I think. Ted