From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Tue, 08 Jan 2013 12:30:59 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87ehhveg4s.fsf@lifelogs.com> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com> <87zk0ljaub.fsf@lifelogs.com> <87wqvng299.fsf@lifelogs.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1357666277 27062 80.91.229.3 (8 Jan 2013 17:31:17 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 8 Jan 2013 17:31:17 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Jan 08 18:31:35 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Tsd1Q-0000uI-Pl for ged-emacs-devel@m.gmane.org; Tue, 08 Jan 2013 18:31:32 +0100 Original-Received: from localhost ([::1]:58525 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tsd1B-0004aR-4F for ged-emacs-devel@m.gmane.org; Tue, 08 Jan 2013 12:31:17 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:44250) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tsd17-0004aA-Dj for emacs-devel@gnu.org; Tue, 08 Jan 2013 12:31:15 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Tsd16-0004mY-7P for emacs-devel@gnu.org; Tue, 08 Jan 2013 12:31:13 -0500 Original-Received: from plane.gmane.org ([80.91.229.3]:52531) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tsd16-0004mU-0U for emacs-devel@gnu.org; Tue, 08 Jan 2013 12:31:12 -0500 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Tsd1I-0000gQ-My for emacs-devel@gnu.org; Tue, 08 Jan 2013 18:31:24 +0100 Original-Received: from c-65-96-148-157.hsd1.ma.comcast.net ([65.96.148.157]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 08 Jan 2013 18:31:24 +0100 Original-Received: from tzz by c-65-96-148-157.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 08 Jan 2013 18:31:24 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 41 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-65-96-148-157.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:SqnaWIdlTcyuJEdNZR+RMeGofqU= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156152 Archived-At: On Tue, 08 Jan 2013 11:57:56 -0500 Stefan Monnier wrote: >> OK, so the package vector will have a new element. Releasing a package >> will require releasing a new `archive-contents' with an updated >> signature for that package and re-signing it with the "GNU ELPA" >> maintainer key. SM> The `archive-contents' file is re-created afresh every day via a cron-job. SM> So maybe it's better to keep the signatures in a separate file, next SM> to the signed file (e.g. have foo.tar and foo.tar.gpgsig). I think that answers all the questions I had. To summarize: 1) sign `archive-contents' in the cron job when it's generated into `archive-contents.gpgsig' with the GNU ELPA maintainer key. 2) every package release foo.{el,tar} will have an optional foo.{el,tar}.gpgsig also signed with the GNU ELPA maintainer key. 3) package.el will optionally test the signatures by calling GPG externally. We'll turn that on for the GNU ELPA archive "gnu", but other repos won't require it. Maybe `package-archives-signed' can be a new list of ELPA archives to be verified, by default `("gnu")', or the format of `package-archives' can change. 3.1) If GPG is not available and the ELPA archive is to be verified, we prompt the user to override it once or abort. They won't be allowed to override it permanently from the prompt--they have to `M-x customize-variable' to do it. The prompt will be scary. 4) If the signature checks fail, the user will be prompted to allow it once or abort. They won't be allowed to override it permanently from the prompt--they have to `M-x customize-variable' to do it. The prompt will be scary. 5) The GNU ELPA maintainer key will be shipped with the Emacs package.el. Does all of that sound good? Ted