From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: [PATCH] package.el: check tarball signature Date: Wed, 02 Oct 2013 09:53:54 -0400 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87d2nnvkwd.fsf@flea.lifelogs.com> References: <874n92x9em.fsf@flea.lifelogs.com> <87fvsk9m8b.fsf-ueno@gnu.org> <87txh0uf8n.fsf@flea.lifelogs.com> <877gdvamle.fsf-ueno@gnu.org> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1380722051 22287 80.91.229.3 (2 Oct 2013 13:54:11 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 2 Oct 2013 13:54:11 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Oct 02 15:54:15 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VRMsZ-0007zR-Ee for ged-emacs-devel@m.gmane.org; Wed, 02 Oct 2013 15:54:15 +0200 Original-Received: from localhost ([::1]:36236 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRMsZ-0002Xu-5J for ged-emacs-devel@m.gmane.org; Wed, 02 Oct 2013 09:54:15 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43695) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRMsR-0002U8-Af for emacs-devel@gnu.org; Wed, 02 Oct 2013 09:54:12 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VRMsL-00068h-Mu for emacs-devel@gnu.org; Wed, 02 Oct 2013 09:54:07 -0400 Original-Received: from plane.gmane.org ([80.91.229.3]:56293) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VRMsL-00068W-GU for emacs-devel@gnu.org; Wed, 02 Oct 2013 09:54:01 -0400 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VRMsJ-0007iZ-KP for emacs-devel@gnu.org; Wed, 02 Oct 2013 15:53:59 +0200 Original-Received: from c-98-229-61-72.hsd1.ma.comcast.net ([98.229.61.72]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 02 Oct 2013 15:53:59 +0200 Original-Received: from tzz by c-98-229-61-72.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 02 Oct 2013 15:53:59 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 62 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-98-229-61-72.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:xYCWiG66K3VwvKPkhBzFRZa7lgI= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:163807 Archived-At: On Wed, 02 Oct 2013 21:22:53 +0900 Daiki Ueno wrote: DU> Ted Zlatanov writes: DU> For what purpose would you need signature generation? >> >> So the maintainer can create a signature from Emacs instead of >> externally. The signer is intended to be a maintainer after review, not >> a package creator. DU> I'm fine with signing with dput for Debian and gnupload for GNU, who DU> else of you really wants that feature. Reference? I want it. If we move to a branch-pull request-merge model, this will be much less important since the signing will happen at the time of the merge on the server; the reviewer never needs to manually sign anything. But at least for now we need interactive tools to automate that process and gnupload would certainly fill that need. So please don't dwell on this. >> It's something you would run on the ELPA server, not at upload time. DU> I'd rather use other scripting language to do such a batch job. OK, I think there's room for both views. Let's assume I will implement it if I need it, and it shouldn't stop you. Note I didn't mention it in my "wishlist" for your v2 patch, so I don't consider it essential like per-archive signing. >> package.el is not just an installer UI, it's a full package manager. DU> Why the uploading part is separated into package-x.el then? Good point, I think you're right. Thanks for the digging. If I add signing from Emacs I'll put it in package-x.el. DU> I'm sorry, I couldn't find anything I can reuse in your patch. It even DU> succeeds signature verification when GPG reports bad signatures. >> >> That's one of the EPG-related pieces I mentioned need fixing. But at >> this point your v2 patch has done the work so there's no point in arguing. DU> Thanks for understanding. I should have been involved in this earlier. DU> What I'm really surprised is no progress on this for almost one DU> year. Yes, I know. I was part of the problem: extremely busy with work and "almost done" all the time. Let's make an effort together and get it done now. I think it's an important part of Emacs' future. DU> Also, why did you choose ".gpgsig" extension rather than ".sig", DU> which has already been used on ftp.gnu.org for a decade? >> >> I think the extension name is not that important, but here specifically >> I wanted to indicate it's generated by GPG. .sig will obviously work >> exactly the same way. DU> It's important, if we would like to use common tools like gnupload too. OK with me, please consider me in favor of .sig. Ted