unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Ted Zlatanov <tzz@lifelogs.com>
To: emacs-devel@gnu.org
Subject: Re: ELPA security
Date: Mon, 31 Dec 2012 06:50:06 -0500	[thread overview]
Message-ID: <87623i5tld.fsf@lifelogs.com> (raw)
In-Reply-To: CALXzQZh0T9KPrrXRMERhHx+zv_mpdR-V-hTU2NWJDbqP9OoL-g@mail.gmail.com

On Wed, 26 Dec 2012 09:32:44 -0800 Paul Nathan <pnathan.software@gmail.com> wrote: 

PN> - In general, GNU is trusted (after all, we download our emacs from the
PN> GNU). This would imply to me that the GNU can GPG sign packages with a
PN> private/public key (Perhaps the precursor to this is emacs having a gpg
PN> implementation included).

Hmm.  So maybe there can be signed checkpoint commits to a global
ChangeLog file that validate all the commits up to that commit?  Then
package.el would pull that commit from the ELPA DVCS repository and
ignore all later, unconfirmed commits?  That seems very workable for the
maintainers and for package.el:

1. add DVCS support to package.el, supporting Git and Bazaar, with the
notion of "pull packages from repo X at tag/commit Y" in addition to the
current "pull packages from URLs".  The VC package has to be involved
here, instead of writing custom code.

2. when the user requests it and we can support it, we verify that Y is
signed with the ELPA maintainer key.  This will be optional, but for the
GNU ELPA we'll check by default and warn if the verification fails.  The
VC package may be involved here or it could be done in package.el; the
underlying verification will be done by an external tool at first and
may be implemented internally in Emacs later.

3. we may need a way to revoke a signed commit.  Perhaps it can simply
be a revert of the previously committed "bad" code, followed by another
commit, instead of a full revocation process.

4. I don't think we should provide this mechanism without a DVCS that
supports signing a tag or a commit.  In other words, let's not try to
bolt it on top of the current HTTP ELPA structure.

PN> - Then perhaps other repositories, such as marmalade could also sign their
PN> packages, and users could choose to trust that signature or not.

PN> - Of course, this is analogous to the Debian/Launchpad/PPA approach, which
PN> has worked excellently for me and others. It may require quite a great deal
PN> of infrastructure work which I am entirely unfamiliar with.

I think the proposal above minimizes new infrastructure.  It moves the
verification and signing burden to the ELPA (e.g. the GNU ELPA)
maintainers, which I think is the right place.  The new DVCS repo
pointers in package.el can coexist with the current HTTP pointers for a
nice gradual transition.

If this sounds acceptable I will start on a POC.

Ted




  reply	other threads:[~2012-12-31 11:50 UTC|newest]

Thread overview: 101+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-09 14:41 ELPA security George Kadianakis
2012-12-09 21:00 ` Nic Ferrier
2012-12-21 14:32 ` Ted Zlatanov
2012-12-21 22:12   ` Xue Fuqiao
2012-12-22  5:07   ` Bastien
2012-12-22  6:17     ` Xue Fuqiao
2012-12-22 12:34       ` Stephen J. Turnbull
2012-12-22 13:03         ` Bastien
2012-12-22 13:24           ` Bastien
2012-12-22 19:37             ` package.el + DVCS for security and convenience (was: ELPA security) Ted Zlatanov
2012-12-24 12:53               ` package.el + DVCS for security and convenience Nic Ferrier
2012-12-24 12:55                 ` Bastien
2012-12-24 13:38                   ` Ted Zlatanov
2012-12-24 13:39                   ` Xue Fuqiao
2012-12-24 16:17               ` Stefan Monnier
2012-12-24 17:46                 ` Ted Zlatanov
2012-12-25  1:03                   ` Stephen J. Turnbull
2012-12-26 14:22                     ` Ted Zlatanov
2012-12-27  3:06                       ` Stephen J. Turnbull
2012-12-27  8:56                         ` Xue Fuqiao
2012-12-31 11:18                         ` Ted Zlatanov
2012-12-31 12:32                           ` Stephen J. Turnbull
2012-12-31 13:50                             ` Ted Zlatanov
2012-12-31 16:47                               ` Stephen J. Turnbull
2012-12-31 21:41                                 ` Ted Zlatanov
2012-12-29  6:19                   ` Stefan Monnier
2012-12-31 11:22                     ` Ted Zlatanov
2013-01-03 16:41                       ` Stefan Monnier
2013-01-04 16:05                         ` Ted Zlatanov
2013-01-04 18:11                           ` Stefan Monnier
2013-01-04 19:06                             ` Ted Zlatanov
2013-01-05  3:25                               ` Stephen J. Turnbull
2013-01-06 19:20                                 ` Ted Zlatanov
2013-01-07  2:03                                   ` Stephen J. Turnbull
2013-01-07 14:47                                     ` Ted Zlatanov
2013-01-08  1:44                                       ` Stephen J. Turnbull
2013-01-08 15:15                                         ` Ted Zlatanov
2013-01-08 17:53                                           ` Stephen J. Turnbull
2013-01-08 18:46                                             ` Ted Zlatanov
2013-01-08 21:20                                             ` Stefan Monnier
2013-01-09  2:37                                               ` Stephen J. Turnbull
2013-01-08  2:20                                       ` Stephen J. Turnbull
2013-01-08 14:05                                         ` Xue Fuqiao
2013-01-04 22:21                           ` Xue Fuqiao
2012-12-31 20:06               ` Re:package.el + DVCS for security and convenience (was: ELPA security) Phil Hagelberg
2012-12-31 22:50                 ` package.el + DVCS for security and convenience Ted Zlatanov
2012-12-22 16:20   ` ELPA security Stefan Monnier
2012-12-26 17:32     ` Paul Nathan
2012-12-31 11:50       ` Ted Zlatanov [this message]
2012-12-31 12:34         ` Stephen J. Turnbull
2012-12-31 13:39         ` Package signing infrastructure suggestion (was Re: ELPA security) Nic Ferrier
2012-12-31 22:32           ` Ted Zlatanov
2012-12-31 23:01             ` Xue Fuqiao
2012-12-31 19:48         ` ELPA security Tom Tromey
2012-12-31 19:57           ` Drew Adams
2012-12-31 22:19             ` Ted Zlatanov
2012-12-31 22:15           ` Ted Zlatanov
2013-01-05 16:46   ` Achim Gratz
2013-01-06 19:12     ` Ted Zlatanov
2013-01-07  5:32       ` Paul Nathan
2013-01-07  5:47         ` Jambunathan K
2013-01-07  5:53           ` Paul Nathan
2013-01-07  6:09             ` Jambunathan K
2013-01-07  6:20               ` Paul Nathan
2013-01-07  7:12               ` Stephen J. Turnbull
2013-01-07  7:18               ` chad
2013-01-07 14:34               ` Ted Zlatanov
2013-01-07  6:57           ` Stephen J. Turnbull
2013-01-07 14:35           ` Ted Zlatanov
2013-01-07 15:01         ` Ted Zlatanov
2013-01-08  3:07           ` Stefan Monnier
2013-01-08 14:47             ` Ted Zlatanov
2013-01-08 16:57               ` Stefan Monnier
2013-01-08 17:30                 ` Ted Zlatanov
2013-01-08 20:50                   ` Stefan Monnier
2013-01-08 21:30                     ` Ted Zlatanov
2013-01-08 22:46                       ` Stefan Monnier
2013-01-08 23:30                         ` Ted Zlatanov
2013-03-12 18:29                           ` Ted Zlatanov
2013-01-08 17:00               ` Stefan Monnier
2013-01-08 17:59                 ` Achim Gratz
2013-01-08 18:37                   ` Ted Zlatanov
2013-01-08 20:59                   ` Stefan Monnier
2013-06-16 11:18                     ` Ted Zlatanov
2013-06-16 23:12                       ` Stefan Monnier
2013-06-17  1:56                         ` Stephen J. Turnbull
2013-06-17  7:23                           ` Ted Zlatanov
2013-06-17 15:54                             ` Stephen J. Turnbull
2013-06-28 15:34                               ` Ted Zlatanov
2013-06-17 14:34                           ` Stefan Monnier
2013-06-17  7:20                         ` Ted Zlatanov
2013-06-19  5:02                           ` Ted Zlatanov
2013-06-19 12:38                             ` Stefan Monnier
2013-06-23 11:58                             ` Ted Zlatanov
2013-06-23 16:41                               ` Stefan Monnier
2013-06-28 15:47                                 ` Ted Zlatanov
2013-06-28 16:28                                   ` Nic Ferrier
2013-06-28 22:49                                   ` Stefan Monnier
2013-06-24  3:44                               ` Daiki Ueno
2013-06-28 15:32                                 ` Ted Zlatanov
2013-06-28 16:15                                   ` Daiki Ueno

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87623i5tld.fsf@lifelogs.com \
    --to=tzz@lifelogs.com \
    --cc=emacs-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).