From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: [PATCH] package.el: check tarball signature Date: Fri, 04 Oct 2013 12:19:25 -0400 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87r4c1rotu.fsf@flea.lifelogs.com> References: <874n92x9em.fsf@flea.lifelogs.com> <87fvsk9m8b.fsf-ueno@gnu.org> <877gdutp1l.fsf@flea.lifelogs.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1380903582 28281 80.91.229.3 (4 Oct 2013 16:19:42 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 4 Oct 2013 16:19:42 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Oct 04 18:19:45 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VS86S-0000Dw-SZ for ged-emacs-devel@m.gmane.org; Fri, 04 Oct 2013 18:19:44 +0200 Original-Received: from localhost ([::1]:48826 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VS86S-0008SR-En for ged-emacs-devel@m.gmane.org; Fri, 04 Oct 2013 12:19:44 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:42590) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VS86K-0008RU-Nz for emacs-devel@gnu.org; Fri, 04 Oct 2013 12:19:41 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VS86E-0005s4-NM for emacs-devel@gnu.org; Fri, 04 Oct 2013 12:19:36 -0400 Original-Received: from plane.gmane.org ([80.91.229.3]:48180) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VS86E-0005rr-GG for emacs-devel@gnu.org; Fri, 04 Oct 2013 12:19:30 -0400 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VS86C-0008UR-Qd for emacs-devel@gnu.org; Fri, 04 Oct 2013 18:19:28 +0200 Original-Received: from c-98-229-61-72.hsd1.ma.comcast.net ([98.229.61.72]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 04 Oct 2013 18:19:28 +0200 Original-Received: from tzz by c-98-229-61-72.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 04 Oct 2013 18:19:28 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 41 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-98-229-61-72.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:i9TcNa8tmONvAUMRnAM4rWYrQO8= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:163854 Archived-At: On Fri, 04 Oct 2013 11:46:30 +0900 Daiki Ueno wrote: DU> Ted Zlatanov writes: >> Just one code comment: >> >> +(defcustom package-check-signature 'allow-unsigned >> + "Whether to check package signatures when installing." >> + :type '(choice (const nil :tag "Never") >> + (const allow-unsigned :tag "Allow unsigned") >> + (const t :tag "Check always")) >> + :risky t >> + :group 'package >> + :version "24.1") >> >> IMHO this should be per archive, not global. WDYT? DU> Yes, actually I was in doubt how to support that. Given that most of DU> the archives will be eventually signed (as Stefan pointed[1]), I'm now DU> thinking of: DU> * remove the package-check-signature option, and DU> * even if an archive is listed in package-unsigned-archives, check DU> signature if .sig file is provided (ignoring verification error) DU> How does this sound? Here is a patch in this direction. I think it's a good direction. Maybe archives should have trust levels that the user can provide when adding them, instead of managing `package-{signed,unsigned}-archives' as external lists: - signed (always check for .sig and verify it) - optionally signed (always check for .sig but allow it may not exist) - not signed (never check for .sig, avoiding extra network requests) The default trust level would be "signed." Does that work? The user may also want a keyring per archive, if that could be a property. I would want it. But it may be expensive to implement. Ted