From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: package.el + DVCS for security and convenience Date: Mon, 24 Dec 2012 12:46:27 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87k3s78hsc.fsf@lifelogs.com> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87obhmzl2f.fsf@bzg.ath.cx> <20121222141742.7494b429fe36e5ccef50cf6f@gmail.com> <87d2y2w9j5.fsf@uwakimon.sk.tsukuba.ac.jp> <87wqwas0gr.fsf@bzg.ath.cx> <87d2y2p6d7.fsf@bzg.ath.cx> <87sj6xg9p2.fsf_-_@lifelogs.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1356371207 16756 80.91.229.3 (24 Dec 2012 17:46:47 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 24 Dec 2012 17:46:47 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Dec 24 18:47:02 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1TnC7A-000136-Iz for ged-emacs-devel@m.gmane.org; Mon, 24 Dec 2012 18:47:00 +0100 Original-Received: from localhost ([::1]:59340 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TnC6w-0003Hu-Gx for ged-emacs-devel@m.gmane.org; Mon, 24 Dec 2012 12:46:46 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:60459) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TnC6u-0003Hp-8a for emacs-devel@gnu.org; Mon, 24 Dec 2012 12:46:45 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TnC6p-0004LX-JP for emacs-devel@gnu.org; Mon, 24 Dec 2012 12:46:44 -0500 Original-Received: from plane.gmane.org ([80.91.229.3]:35555) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TnC6p-0004LK-Cw for emacs-devel@gnu.org; Mon, 24 Dec 2012 12:46:39 -0500 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1TnC71-0000so-TU for emacs-devel@gnu.org; Mon, 24 Dec 2012 18:46:51 +0100 Original-Received: from c-65-96-148-157.hsd1.ma.comcast.net ([65.96.148.157]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 24 Dec 2012 18:46:51 +0100 Original-Received: from tzz by c-65-96-148-157.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 24 Dec 2012 18:46:51 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 37 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-65-96-148-157.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:6ACQr0iEXEPSAKt4K5p6TYzRBpw= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:155864 Archived-At: On Mon, 24 Dec 2012 11:17:28 -0500 Stefan Monnier wrote: >> Maybe `vc-dir' already has code to do this, so package.el can simply >> ride on top of it. SM> I'm afraid VC does not have much of that code yet. It seems not too hard to add it: verifying signed commits/tags uses orthogonal commands that don't affect the general VC workflow. If no one else is interested I can add it to my TODO list. But see below. SM> An alternative is to only protect the communication between elpa.gnu.org SM> and the end client: add a "GPG signature" to each entry of the SM> `archive-contents' file, so they can be checked after the download. The problem then is how to verify GPG signatures, especially if GnuPG is not installed. OTOH verifying signed tags in Git and signed commits in Bazaar is part of the base packages, so it requires no more than having them installed. Still... how does it all work if Bazaar or Git are not installed? Emacs could verify GPG signatures directly. I have looked at the protocol and it's not terribly difficult, and in fact the GnuTLS integration brought in most of the ciphers and decoders we would need to verify those signatures, but then we'd require GnuTLS... argh, the dreaded bootstrap problem. Making it work on all platforms is not trivial. In the core, I think we only have `sha1' built-in. I still think public-key cryptography and asymmetric ciphers are the answer here, but I don't know how much we want to depend on external tools or libraries for package installations, and how willing we are to make installations insecure if those tools or libraries are not available. So I need the maintainers' wise opinion :) Thanks Ted