From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Stephen J. Turnbull" Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Mon, 07 Jan 2013 16:12:59 +0900 Message-ID: <877gnpbh50.fsf@uwakimon.sk.tsukuba.ac.jp> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com> <87bod1h7d3.fsf@gmail.com> <87pq1h4j8w.fsf@gmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 X-Trace: ger.gmane.org 1357542785 16306 80.91.229.3 (7 Jan 2013 07:13:05 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 7 Jan 2013 07:13:05 +0000 (UTC) Cc: Paul Nathan , emacs-devel@gnu.org To: Jambunathan K Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jan 07 08:13:22 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Ts6td-0002mE-9L for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 08:13:21 +0100 Original-Received: from localhost ([::1]:55038 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts6tN-00076w-N8 for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 02:13:05 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:33053) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts6tL-00076q-FO for emacs-devel@gnu.org; Mon, 07 Jan 2013 02:13:04 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Ts6tK-0000oq-CO for emacs-devel@gnu.org; Mon, 07 Jan 2013 02:13:03 -0500 Original-Received: from mgmt2.sk.tsukuba.ac.jp ([130.158.97.224]:58980) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts6tK-0000oh-37 for emacs-devel@gnu.org; Mon, 07 Jan 2013 02:13:02 -0500 Original-Received: from uwakimon.sk.tsukuba.ac.jp (uwakimon.sk.tsukuba.ac.jp [130.158.99.156]) by mgmt2.sk.tsukuba.ac.jp (Postfix) with ESMTP id 6A1DD9708E6; Mon, 7 Jan 2013 16:12:59 +0900 (JST) Original-Received: by uwakimon.sk.tsukuba.ac.jp (Postfix, from userid 1000) id 33BC11A30DD; Mon, 7 Jan 2013 16:12:59 +0900 (JST) In-Reply-To: <87pq1h4j8w.fsf@gmail.com> X-Mailer: VM undefined under 21.5 (beta32) "habanero" b0d40183ac79 XEmacs Lucid (x86_64-unknown-linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 130.158.97.224 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156110 Archived-At: Jambunathan K writes: > May be the idea is too ahead for it's time. I wonder whether another > "serious" distributor like GNU ELPA sprouts forth. Seems unlikely to me. Why have more than one? I suppose that Red Hat might redistribute GNU ELPA, but I would imagine they would rely on the GNU ELPA signatures. Ditto Debian and Ubuntu. > Is XEmacs a contender here, I don't know. No. There is provision for signing our packages in our package infrastructure, but currently they aren't signed, and the functionality is probably pretty bitrotted. It was way too much hassle for most users the last time we tried. Even Steve Baur, a pretty paranoid dude, never advocated mandatory signature checking. I imagine the state of the art has improved for PKI, and the situation deteriorated in terms of the risks of cracking, so we may want to reconsider. Steve