From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Ted Zlatanov <tzz@lifelogs.com>
Newsgroups: gmane.emacs.devel
Subject: Re: ELPA security
Date: Tue, 12 Mar 2013 14:29:37 -0400
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
Message-ID: <87620wpj3i.fsf@lifelogs.com>
References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com>
	<87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com>
	<CALXzQZg953oz_WnvKH8d93fXzetcHZwCNqq7HPRzLyN-NOrusw@mail.gmail.com>
	<87zk0ljaub.fsf@lifelogs.com> <jwvmwwk9y0b.fsf-monnier+emacs@gnu.org>
	<87wqvng299.fsf@lifelogs.com> <jwvobgz7gxk.fsf-monnier+emacs@gnu.org>
	<87ehhveg4s.fsf@lifelogs.com> <jwv4nir5ryc.fsf-monnier+emacs@gnu.org>
	<871udvcqgj.fsf@lifelogs.com> <jwvbocz47ss.fsf-monnier+emacs@gnu.org>
	<87txqrb6c5.fsf@lifelogs.com>
Reply-To: emacs-devel@gnu.org
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1363113584 20316 80.91.229.3 (12 Mar 2013 18:39:44 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 12 Mar 2013 18:39:44 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Mar 12 19:40:09 2013
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1UFU7L-00073h-Db
	for ged-emacs-devel@m.gmane.org; Tue, 12 Mar 2013 19:40:07 +0100
Original-Received: from localhost ([::1]:54360 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1UFU6z-0007SC-30
	for ged-emacs-devel@m.gmane.org; Tue, 12 Mar 2013 14:39:45 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:40004)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1UFU3G-0005BW-Gf
	for emacs-devel@gnu.org; Tue, 12 Mar 2013 14:39:42 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1UFU2C-0005yz-F0
	for emacs-devel@gnu.org; Tue, 12 Mar 2013 14:35:54 -0400
Original-Received: from plane.gmane.org ([80.91.229.3]:43426)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1UFU2C-0005xE-8K
	for emacs-devel@gnu.org; Tue, 12 Mar 2013 14:34:48 -0400
Original-Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1UFU2T-0003Y4-Dy
	for emacs-devel@gnu.org; Tue, 12 Mar 2013 19:35:05 +0100
Original-Received: from pool-72-70-84-108.bstnma.east.verizon.net ([72.70.84.108])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Tue, 12 Mar 2013 19:35:05 +0100
Original-Received: from tzz by pool-72-70-84-108.bstnma.east.verizon.net with local
	(Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Tue, 12 Mar 2013 19:35:05 +0100
X-Injected-Via-Gmane: http://gmane.org/
Mail-Followup-To: emacs-devel@gnu.org
Original-Lines: 24
Original-X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: pool-72-70-84-108.bstnma.east.verizon.net
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
	d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
	D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux)
Cancel-Lock: sha1:7FxHATjcgUv1neeOWMcDNWTvNbo=
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 80.91.229.3
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:157793
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/157793>

On Tue, 08 Jan 2013 18:30:50 -0500 Ted Zlatanov <tzz@lifelogs.com> wrote: 

TZ> On Tue, 08 Jan 2013 17:46:51 -0500 Stefan Monnier <monnier@IRO.UMontreal.CA> wrote: 
SM> I do wonder about key management, tho: the GNU ELPA key (note: not
SM> "maintainer" because the key does not belong to any human being)
SM> will not last for ever.
>>> I thought the maintainers would have their own keys, and they would sign
>>> a GNU ELPA "signing subkey" that's only used for releasing.

SM> I'm sufficiently unsophisticated that I don't really know what
SM> that means.  I understands keys can expire and can be revoked, but that
SM> doesn't say how the end-user will deal with such a situation.

SM> We need some way to update the signing key in a trustworthy way.

TZ> OK, I'll prepare a workflow and offer it for public review as part of
TZ> the POC.

FYI, I plan to start on the ELPA security (both in code and workflow)
after Daniel Hackney's contribution to standardize package.el's
internals is merged or retracted.  I'll try to keep the code changes
minimal.

Ted