From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Stephen J. Turnbull" Newsgroups: gmane.emacs.devel Subject: Re: package.el + DVCS for security and convenience Date: Mon, 07 Jan 2013 11:03:07 +0900 Message-ID: <87bod1bvhg.fsf@uwakimon.sk.tsukuba.ac.jp> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87obhmzl2f.fsf@bzg.ath.cx> <20121222141742.7494b429fe36e5ccef50cf6f@gmail.com> <87d2y2w9j5.fsf@uwakimon.sk.tsukuba.ac.jp> <87wqwas0gr.fsf@bzg.ath.cx> <87d2y2p6d7.fsf@bzg.ath.cx> <87sj6xg9p2.fsf_-_@lifelogs.com> <87k3s78hsc.fsf@lifelogs.com> <87ehi65uv4.fsf@lifelogs.com> <87hamxndc7.fsf@lifelogs.com> <87y5g8n4y1.fsf@lifelogs.com> <87lic8b9ai.fsf@uwakimon.sk.tsukuba.ac.jp> <87zk0mktir.fsf@lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 X-Trace: ger.gmane.org 1357524198 15557 80.91.229.3 (7 Jan 2013 02:03:18 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 7 Jan 2013 02:03:18 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jan 07 03:03:35 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Ts23r-0005se-8O for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 03:03:35 +0100 Original-Received: from localhost ([::1]:42284 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts23b-0008Cd-P6 for ged-emacs-devel@m.gmane.org; Sun, 06 Jan 2013 21:03:19 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:46153) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts23Z-0008C3-IJ for emacs-devel@gnu.org; Sun, 06 Jan 2013 21:03:18 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Ts23Y-0003iG-Ie for emacs-devel@gnu.org; Sun, 06 Jan 2013 21:03:17 -0500 Original-Received: from mgmt2.sk.tsukuba.ac.jp ([130.158.97.224]:36381) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts23Y-0003g2-95 for emacs-devel@gnu.org; Sun, 06 Jan 2013 21:03:16 -0500 Original-Received: from uwakimon.sk.tsukuba.ac.jp (uwakimon.sk.tsukuba.ac.jp [130.158.99.156]) by mgmt2.sk.tsukuba.ac.jp (Postfix) with ESMTP id 237879708F9 for ; Mon, 7 Jan 2013 11:03:08 +0900 (JST) Original-Received: by uwakimon.sk.tsukuba.ac.jp (Postfix, from userid 1000) id DCED01A3222; Mon, 7 Jan 2013 11:03:07 +0900 (JST) In-Reply-To: <87zk0mktir.fsf@lifelogs.com> X-Mailer: VM undefined under 21.5 (beta32) "habanero" b0d40183ac79 XEmacs Lucid (x86_64-unknown-linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 130.158.97.224 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156100 Archived-At: Ted Zlatanov writes: > I'm actually suggesting that the GNU ELPA maintainers (note the "GNU > ELPA" part here, this is not any ELPA maintainer) should review and sign > *every* commit to the GNU ELPA. I have no idea what you think you're proposing. Security reviews are expensive; I doubt you'll have anybody willing to maintain GNU ELPA after a couple of months of that, unless you pay handsomely, or you enlist a maintainer per package or so to reduce the burden on individual maintainers to a manageable level. The obvious candidates for the latter are the authors. If they are not security reviews, what's the point of reviewing at all? You just want signed commits, verifying that the commit was actually received at the GNU ELPA. AFAICS this can be done by a bot, which checks the authors' signatures on the commits.