From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Stephen J. Turnbull" Newsgroups: gmane.emacs.devel Subject: Re: package.el + DVCS for security and convenience Date: Tue, 25 Dec 2012 10:03:28 +0900 Message-ID: <874njbuen3.fsf@uwakimon.sk.tsukuba.ac.jp> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87obhmzl2f.fsf@bzg.ath.cx> <20121222141742.7494b429fe36e5ccef50cf6f@gmail.com> <87d2y2w9j5.fsf@uwakimon.sk.tsukuba.ac.jp> <87wqwas0gr.fsf@bzg.ath.cx> <87d2y2p6d7.fsf@bzg.ath.cx> <87sj6xg9p2.fsf_-_@lifelogs.com> <87k3s78hsc.fsf@lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 X-Trace: ger.gmane.org 1356397421 11473 80.91.229.3 (25 Dec 2012 01:03:41 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 25 Dec 2012 01:03:41 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Dec 25 02:03:57 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1TnIw0-0007De-Hc for ged-emacs-devel@m.gmane.org; Tue, 25 Dec 2012 02:03:56 +0100 Original-Received: from localhost ([::1]:36538 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TnIvm-0005Hx-Bw for ged-emacs-devel@m.gmane.org; Mon, 24 Dec 2012 20:03:42 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:51303) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TnIvj-0005Hh-08 for emacs-devel@gnu.org; Mon, 24 Dec 2012 20:03:40 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TnIvh-0000Rs-O6 for emacs-devel@gnu.org; Mon, 24 Dec 2012 20:03:38 -0500 Original-Received: from mgmt2.sk.tsukuba.ac.jp ([130.158.97.224]:58769) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TnIvh-0000Rk-7F for emacs-devel@gnu.org; Mon, 24 Dec 2012 20:03:37 -0500 Original-Received: from uwakimon.sk.tsukuba.ac.jp (uwakimon.sk.tsukuba.ac.jp [130.158.99.156]) by mgmt2.sk.tsukuba.ac.jp (Postfix) with ESMTP id DBC429708F8 for ; Tue, 25 Dec 2012 10:03:28 +0900 (JST) Original-Received: by uwakimon.sk.tsukuba.ac.jp (Postfix, from userid 1000) id A32BA1A323D; Tue, 25 Dec 2012 10:03:28 +0900 (JST) In-Reply-To: <87k3s78hsc.fsf@lifelogs.com> X-Mailer: VM undefined under 21.5 (beta32) "habanero" b0d40183ac79 XEmacs Lucid (x86_64-unknown-linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 130.158.97.224 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:155870 Archived-At: Ted Zlatanov writes: > The problem then is how to verify GPG signatures, especially if GnuPG is > not installed. OTOH verifying signed tags in Git and signed commits in > Bazaar is part of the base packages, so it requires no more than having > them installed. Regarding the social side, sure, Windows users and perhaps proprietary *nix users are less likely to have GPG or (oh, the horrors) PGP installed, but it's not like they're unavailable. Even for Mac OS X (Hurray! er, I mean "Hiss, boo!"), GPG2 is available in all the popular add-on distributions. People who for reasons of corporate policy can't install those tools themselves aren't going to have free access to ELPA, either (and anyway their security bureaucracy has taken that responsibility on itself). People who won't install GPG, won't use the feature anyway (by which I mean, they will ignore security warnings which are often false alarms, disable them entirely on the third false alarm, won't go to the effort of getting updated public keys for when they're offline, etc), and if key distribution is implemented automatically they're at great risk from man-in-the-middle and phishing-type attacks. The GPG documentation is full of warnings about doing it yourself, and recommends using the GUI or the command-line interface. ISTR at one time they didn't even provide libraries (do they now?) for that reason. I'm sure we've all seen some of the horror stories of what sometimes happens to competent programmers who implement the protocols themselves on RISKS (not to mention really terrifying stories like "The 16,384 Keys of Debian"). Remember, as soon as Emacs distributes something, hordes of users are potential users of the feature. That may make it an attractive target for an attack. Anything built in to Emacs needs to be *strong*. Is it worth that much effort? Why not just start with the relatively easy optional verification of signed files based on an installed OpenPG tool, and add pluggable verification modules as people have interest? > I still think public-key cryptography and asymmetric ciphers are the > answer here, I'm pretty sure the people who *really* know what they're doing[1] will agree with you. > but I don't know how much we want to depend on external tools or > libraries for package installations, and how willing we are to make > installations insecure if those tools or libraries are not > available. So I need the maintainers' wise opinion :) "Only YOU can prevent forest fires" -- Smokey the Bear But they happen *unnecessarily* anyway, because people ignore the simple rules posted at every campground and entrance to wilderness areas. FWIW, I recommend providing security features as suggested above for those who *want* them, at first. Provide reasonably secure automation, and enable it by default. If disabled, encourage reenabling, perhaps by changing the control variable name every release ;-). Footnotes: [1] On the Internet, nobody knows that you're Bruce Schneier. But I'm not. :-)