From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Sun, 06 Jan 2013 14:12:27 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <874nium8h0.fsf@lifelogs.com> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1357499574 19730 80.91.229.3 (6 Jan 2013 19:12:54 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 6 Jan 2013 19:12:54 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jan 06 20:13:11 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Trvee-0003QN-L1 for ged-emacs-devel@m.gmane.org; Sun, 06 Jan 2013 20:13:08 +0100 Original-Received: from localhost ([::1]:49283 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TrveP-00079W-5S for ged-emacs-devel@m.gmane.org; Sun, 06 Jan 2013 14:12:53 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:51680) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TrveL-00079G-Kx for emacs-devel@gnu.org; Sun, 06 Jan 2013 14:12:50 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TrveK-0001ge-Cy for emacs-devel@gnu.org; Sun, 06 Jan 2013 14:12:49 -0500 Original-Received: from plane.gmane.org ([80.91.229.3]:40917) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TrveK-0001gZ-63 for emacs-devel@gnu.org; Sun, 06 Jan 2013 14:12:48 -0500 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1TrveU-0003Gb-Ah for emacs-devel@gnu.org; Sun, 06 Jan 2013 20:12:58 +0100 Original-Received: from c-65-96-148-157.hsd1.ma.comcast.net ([65.96.148.157]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 06 Jan 2013 20:12:58 +0100 Original-Received: from tzz by c-65-96-148-157.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 06 Jan 2013 20:12:58 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 48 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-65-96-148-157.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:r4j9DTCQGdGSF0cwdShwGkcJp9c= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156098 Archived-At: On Sat, 05 Jan 2013 17:46:19 +0100 Achim Gratz wrote: AG> Ted Zlatanov writes: >> SSL can easily be compromised and may not be available on all >> platforms. AG> So there are at least three checks to make: check the metadata AG> before the download, then the downloaded archive itself and then AG> again that the stuff unpacked from that archive matches the AG> distribution. Lastly, maybe a fourth check that after compiling the AG> package no extra or missing files are recorded. AG> This can be done via checksumming and comparison with a manifest, which AG> in turn needs to be signed. I think it's easier to simply require that every file have its own .sig and avoid the verification chain from manifest to archive contents. Then we rely on GPG to handle signing and verification for us, no matter who actually generates the .sig files (as long as their signing key is trusted by us). I don't think checksums have any advantage there, but maybe you see some? I think the GNU ELPA maintainers should sign everything, but that's debatable and not essential to the proposal. AG> Since installing a package produces additional files, they should AG> probably be listed in the manifest (without checksum) to ensure that AG> no malicious files are planted upon installation. I don't know if that's needed, but have no problem with it as a feature. AG> That moves all the authenticity issues to the signatures or rather the AG> trust you have in the keys used to produce them. Yes, that's exactly what I'm trying to accomplish, instead of relying on SSL/TLS or other transport-level solutions. AG> Emacs would need to be deployed so that it knows its own signing key AG> as well as the (preferably separate) key for ELPA. I don't think AG> that it should implicitly trust them, though, so the user should AG> explicitly consent to trusting the key (either temporarily or AG> permanently). I think `package-list' has to work without prompts or configuration. You should have to specifically exclude the GNU ELPA maintainers' keys from your default (`emacs -q') configuration in order not to trust them. Ted