From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: In Support of ELPA Date: Thu, 13 Jul 2017 11:05:49 -0400 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87d194idgy.fsf@lifelogs.com> References: <87eftmejer.fsf@russet.org.uk> <87inixixyn.fsf@lifelogs.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1499958382 29936 195.159.176.226 (13 Jul 2017 15:06:22 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 13 Jul 2017 15:06:22 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Jul 13 17:06:13 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dVfgy-0007Du-Jl for ged-emacs-devel@m.gmane.org; Thu, 13 Jul 2017 17:06:12 +0200 Original-Received: from localhost ([::1]:60572 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVfh2-0005yi-7j for ged-emacs-devel@m.gmane.org; Thu, 13 Jul 2017 11:06:16 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:37892) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVfgq-0005wf-EW for emacs-devel@gnu.org; Thu, 13 Jul 2017 11:06:05 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dVfgn-0001NP-Q1 for emacs-devel@gnu.org; Thu, 13 Jul 2017 11:06:04 -0400 Original-Received: from [195.159.176.226] (port=39670 helo=blaine.gmane.org) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dVfgn-0001N5-J9 for emacs-devel@gnu.org; Thu, 13 Jul 2017 11:06:01 -0400 Original-Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1dVfgd-0006Iz-Fg for emacs-devel@gnu.org; Thu, 13 Jul 2017 17:05:51 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 31 Original-X-Complaints-To: usenet@blaine.gmane.org X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Cancel-Lock: sha1:sdNtWBHGLk4J3IkeaEm3jUFeHFo= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 195.159.176.226 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:216581 Archived-At: On Thu, 13 Jul 2017 08:23:27 -0400 Richard Stallman wrote: RS> [[[ To any NSA and FBI agents reading my email: please consider ]]] RS> [[[ whether defending the US Constitution against all enemies, ]]] RS> [[[ foreign or domestic, requires you to follow Snowden's example. ]]] SM> I find it is important for GNU ELPA not to *pull* from outside hosts SM> that are not under our control. Instead code should be pushed to it by SM> people who have write access (hence take on the responsibility of paying SM> attention to copyright and such). >> Can GnuPG signatures satisfy that requirement so the code can be pulled? RS> The question is so vague that I can't relate it to the issue at hand. RS> GPG signatures delivered by whom, when, signing what, to achieve what RS> purpose? Sorry for the vagueness. I mean that maintainers of packages can use GnuPG signatures in Git to sign a particular tag. So maybe that's enough to let the GNU ELPA pull instead of requiring maintainers to push, because the signature will guarantee that the code has been reviewed for copyright and other requirements. The verification can be automated. I think a pull-based system like that would reduce friction and increase contributions, because maintainers won't have to get access to elpa.git or push anything. They would just do a release tag as part of their normal workflow. Ted