From: Joseph Gay <gilleylen@gmail.com>
To: emacs-devel@gnu.org
Subject: Re: convenient digital signing for el files and snippets
Date: Wed, 09 Mar 2011 10:27:14 -0600 [thread overview]
Message-ID: <87bp1k2ra5.fsf@geneva.hpsy.me> (raw)
In-Reply-To: 87zkp4pavn.fsf@lifelogs.com
>Ted Zlatanov <tzz@lifelogs.com> writes:
>
> I think it's better to sign a package than individual files:
> - the package manager can do the verification at install time (once)
>
> - there's already a packaging process which can easily have the extra
> signing step, and packages have metadata we can use
>
> - signing a package would cover all the files, not just Emacs Lisp
> files, and would be done just once per package
The file-by-file method is not intended to be ubiquitous. I agree
that for controlled packages, signing at the package level is good.
> - the Emacs Lisp code doesn't have to be polluted by the signing info
For packages and multi-file projects, this is sensible, though I don't
think the pollution factor is too bad:
e.g.
--8<---------------cut here---------------start------------->8---
;;; el-signed by Joseph Gay <gilleylen@gmail.com> :chars 6350
;; -----BEGIN PGP SIGNATURE-----
;; Version: GnuPG v1.4.10 (GNU/Linux)
;; iQEcBAABAgAGBQJNd6afAAoJEHcwDyjz7GfnJ1UIALfxJ6nBRQKxlJybtfX1FgkX
;; ZdLdY87eMoHbpffjHPkklzh2rpW5mLUwdhk1HIdiNMvO50v3xx4kGF8BBdBI1bfP
;; HbibsQzjtKe2Rw9gzjApwurraWbBEmVPP/yRXrPE7ORN0B1Hx/Md+ae4WHzq4Nsg
;; Gy21szGsMM4+X3qVhLB+n8qc6/OT4th/qKZGs+BEEe+uX1d7BdKoZBeDv9Be8t7p
;; QWjS5bGs9+6ghqWdbdkxqXW3r0QL5dqBnjUmV/0ZMXJaryuar35woFRRUVfbk01t
;; 13vHlvbOIGPFvE6lWWIhVWum//TpiMkp6d2s3Bx/jakEW9oo6vMAmu0cDWyx07A=
;; =tvGq
;; -----END PGP SIGNATURE-----
;;; el-sign.el ends here
--8<---------------cut here---------------end--------------->8---
> - older and legacy code doesn't have to be modified to be signed
My concern is the quantity of code on EmacsWiki plus the number of
people still using it. Perhaps this could be a stopgap approach until
ELPA takes over.
This wouldn't affect unsigned code. It would be treated the same as it
is now. Only for things that are signed would there be any potential
benefit (assurance that the signature is trusted and validated).
I have some working code now, so I will look into what it would take to
implement a mechanism for ELPA, assuming that's not already in the
works.
Thanks for your input.
next prev parent reply other threads:[~2011-03-09 16:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-09 6:12 convenient digital signing for el files and snippets Joseph Gay
2011-03-09 15:33 ` Ted Zlatanov
2011-03-09 16:27 ` Joseph Gay [this message]
2011-03-09 17:43 ` Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bp1k2ra5.fsf@geneva.hpsy.me \
--to=gilleylen@gmail.com \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).