From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Fri, 28 Jun 2013 11:47:03 -0400 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87vc4yme4o.fsf@lifelogs.com> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com> <87zk0ljaub.fsf@lifelogs.com> <87wqvng299.fsf@lifelogs.com> <87ip77y2s9.fsf@Rainer.invalid> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1372434452 9032 80.91.229.3 (28 Jun 2013 15:47:32 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 28 Jun 2013 15:47:32 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Jun 28 17:47:32 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1UsatX-00063x-OZ for ged-emacs-devel@m.gmane.org; Fri, 28 Jun 2013 17:47:31 +0200 Original-Received: from localhost ([::1]:51317 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UsatX-0005QP-DZ for ged-emacs-devel@m.gmane.org; Fri, 28 Jun 2013 11:47:31 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:39557) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UsatT-0005Q6-2M for emacs-devel@gnu.org; Fri, 28 Jun 2013 11:47:28 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UsatR-0000td-31 for emacs-devel@gnu.org; Fri, 28 Jun 2013 11:47:26 -0400 Original-Received: from plane.gmane.org ([80.91.229.3]:33649) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UsatQ-0000tS-SF for emacs-devel@gnu.org; Fri, 28 Jun 2013 11:47:25 -0400 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UsatO-0005wu-GU for emacs-devel@gnu.org; Fri, 28 Jun 2013 17:47:22 +0200 Original-Received: from pool-72-93-34-251.bstnma.east.verizon.net ([72.93.34.251]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 28 Jun 2013 17:47:22 +0200 Original-Received: from tzz by pool-72-93-34-251.bstnma.east.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 28 Jun 2013 17:47:22 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 67 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: pool-72-93-34-251.bstnma.east.verizon.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:0fujlO/IoQ7bqad85rHgQlMavmw= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:161240 Archived-At: On Sun, 23 Jun 2013 12:41:32 -0400 Stefan Monnier wrote: TZ> etc/elpa/ARCHIVE-NAME can contain the actual armored GPG signature but TZ> it can also have more metadata about the archive. So the format could TZ> be: TZ> url=ARCHIVE-URL TZ> other-metadata=whatever TZ> then-a-new-line=ends metadata TZ> SIGNATURE TZ> and if SIGNATURE is missing, the archive is not signed. SM> Hmm... I'm not sure I understand the issues here. IIUC Debian SM> uses a GPG keyring. What's the difference?Also, you talk about the SM> signature here, whereas I think "an archive has a key, each package has SM> a signature". Sorry, I've been careless with the terminology. Each file P has a detached signature P.gpgsig. Each archive A has a public key A.key. To verify that A signed P, the package.el user must import A.key into a GPG keyring (either the default or, as I was suggesting to Daiki Ueno, a special "elpa" keyring). A GPG keyring is a storage space for keys, essentially. I propose `etc/elpa/A' to contain some metadata about the archive. The existence of that file should be noted in `package-archives-found' and should be the only way to specify a signed archive. The format of `etc/elpa/A' would be: url=ARCHIVE-URL other-metadata=whatever then-a-new-line=ends metadata [after a final newline, append the contents of A.key] This would let the user or site admin easily install or remove ELPA archives without modifying Emacs Lisp code. `package-archives' would remain, but only as a way to specify unsigned archives. >> For now I'm using the old format. Archives are signed by default as >> requested. I've rebased the patch against the changes to package.el. SM> I think the list of signed/unsigned archives should be managed SM> dynamically/automatically: if a signature is missing, ask the user if SM> she thinks it's normal, and if so, place the archive into a list of SM> "unsigned archives", so the question is not repeated. But every time we SM> access the archive, we still try to get the a signature. If we do find SM> a signature, then remove the archive from the "unsigned archives" list. I'd rather go with the `etc/elpa/A' scheme above. Can you please consider it? >> Also the signature has to be named .gpgsig because the extension .gpg >> (the default) makes EPA/EPG attempt to decrypt it. SM> ".gpgsig" is fine, as is ".sig". Are you talking about the packages's SM> signatures, or about some ~/.emacs.d/elpa/archive/key.gpgsig? P.gpgsig for every file P. Ted