From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: security of the emacs package system, elpa, melpa and marmalade Date: Sun, 29 Sep 2013 14:18:36 -0400 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <874n93ze2r.fsf@flea.lifelogs.com> References: <523FEE1B.9020408@binary-island.eu> <87y56gymvz.fsf@flea.lifelogs.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1380478732 20116 80.91.229.3 (29 Sep 2013 18:18:52 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 29 Sep 2013 18:18:52 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Sep 29 20:18:56 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VQLa3-0000O6-NL for ged-emacs-devel@m.gmane.org; Sun, 29 Sep 2013 20:18:55 +0200 Original-Received: from localhost ([::1]:45592 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQLa3-0002fL-87 for ged-emacs-devel@m.gmane.org; Sun, 29 Sep 2013 14:18:55 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:55672) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQLZw-0002e7-R5 for emacs-devel@gnu.org; Sun, 29 Sep 2013 14:18:53 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VQLZr-0004i2-SQ for emacs-devel@gnu.org; Sun, 29 Sep 2013 14:18:48 -0400 Original-Received: from plane.gmane.org ([80.91.229.3]:44817) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQLZr-0004hv-LX for emacs-devel@gnu.org; Sun, 29 Sep 2013 14:18:43 -0400 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VQLZp-00009p-GX for emacs-devel@gnu.org; Sun, 29 Sep 2013 20:18:41 +0200 Original-Received: from c-98-229-61-72.hsd1.ma.comcast.net ([98.229.61.72]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 29 Sep 2013 20:18:41 +0200 Original-Received: from tzz by c-98-229-61-72.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 29 Sep 2013 20:18:41 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 56 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-98-229-61-72.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:anQLve/jSEiQ5ETx/dEP10OPLM8= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:163718 Archived-At: On Sun, 29 Sep 2013 13:49:36 -0400 Daiki Ueno wrote: DU> Ted Zlatanov writes: >> On Mon, 23 Sep 2013 10:17:33 -0400 Stefan Monnier SM> The current state, AFAIK is that we decided that ELPA servers should SM> put *.gpg signatures alongside their tarballs and other files, signed SM> with an "archive" key. This signature can be used to check that the SM> package you get indeed comes from that archive. >> SM> In terms of code, it's not implemented yet, AFAIK (IIRC Ted is working SM> on it). >> >> VERY slowly. I tried to get back to it, only to find out (see other >> thread under subject "bad epg.el+GPG2 behavior: unavoidable passphrase >> pinentry prompt") that GPG2 is practically unusable. Frustrating. DU> I don't see much relation between this and what Stefan is talking above. DU> For signature verification, passphrase prompt shouldn't be used, since DU> it does not require any secret key operation. Right. I didn't mean that GPG2 is blocking the package signing work specifically. But if, for any reason, GPG2 decides to pop up passphrase prompts, it will make package.el unusable *and it can't be disabled*. So this is a concern IMO, even if we assume it will not require passphrases, because it could make the user experience painful outside of our control. This is what annoys me about GPG1 or 2, that it's an application and not a library. At least GPG1 could be consistently driven in batch mode. DU> For signing with an "archive" key, do you really want to do that with DU> Emacs, instead of other handy scripting languages? Naturally. >> As I've mentioned in the past, I dislike relying on an external binary >> like GPG to do encryption so this is pushing me again towards a more >> built-in Lispy way to do signing of packages. Opinions welcome, >> especially if you can think of a way that Emacs can sign files in a >> similar way to GPG keys in Lisp. DU> I remember that you asked this in the past, and I answered that it might DU> make some sense as long as the code produces a signature in a DU> standardized format as GPG does. You then responded that you didn't DU> have enough knowledge to implement it. DU> I don't think it is a constructive attitude to repeat the same argument DU> without any outcomes and even omitting the background. Let's just say I'll implement the OpenPGP protocol emulation as in http://tools.ietf.org/html/rfc4880 when I get to it, and anyone else that thinks it's worthwhile can work with me or do it themselves. I hope you consider that constructive. Ted