From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Bastien Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Sat, 22 Dec 2012 14:03:32 +0100 Message-ID: <87wqwas0gr.fsf@bzg.ath.cx> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87obhmzl2f.fsf@bzg.ath.cx> <20121222141742.7494b429fe36e5ccef50cf6f@gmail.com> <87d2y2w9j5.fsf@uwakimon.sk.tsukuba.ac.jp> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1356181422 18917 80.91.229.3 (22 Dec 2012 13:03:42 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 22 Dec 2012 13:03:42 +0000 (UTC) Cc: Xue Fuqiao , emacs-devel@gnu.org To: "Stephen J. Turnbull" Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Dec 22 14:03:57 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1TmOk9-00030f-9e for ged-emacs-devel@m.gmane.org; Sat, 22 Dec 2012 14:03:57 +0100 Original-Received: from localhost ([::1]:35048 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TmOjv-0003q7-AK for ged-emacs-devel@m.gmane.org; Sat, 22 Dec 2012 08:03:43 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:53224) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TmOjr-0003q1-Bd for emacs-devel@gnu.org; Sat, 22 Dec 2012 08:03:41 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TmOjm-0004gV-Sw for emacs-devel@gnu.org; Sat, 22 Dec 2012 08:03:39 -0500 Original-Received: from mail-wi0-f177.google.com ([209.85.212.177]:52449) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TmOjm-0004gM-M7 for emacs-devel@gnu.org; Sat, 22 Dec 2012 08:03:34 -0500 Original-Received: by mail-wi0-f177.google.com with SMTP id hm2so3290710wib.16 for ; Sat, 22 Dec 2012 05:03:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:from:to:cc:subject:in-reply-to:references :user-agent:date:message-id:mime-version:content-type; bh=zSpT7a8Q6Vfn1VVhp+Gho0q/vrhYyH+rk21MVQa8Hpw=; b=AQYeoZ0ioMEq4xoVEzHReULuVyzAJATVo/o4G4W+QWmxvzpQzMS4/VlHL8hKjqjiYl F5voaZ8f7zTmI/usIzJt76CLYAnpQQfzKiikrigNAWn0QxKbM4W0mLl/bF6qU5OnX2at jFM/Rkb5lXXrPpdb9nms7ojKmQAkEM8NZsnG3rrSarb5lA5cv/GmQSTYbKRm+xjdfcAS bUedEDpVBgfWEg7M0Mn3qkvPMQc5xGmuRnOSDAuWFhMxdhfXCMNY4e2xoY7ScJSAtVQu FfTLL5wh1vvUh7waitQSQ7gWaIFDJdvozlSLsem3fmLzhMEaLCnycd8/HzcCIr32cttN fP3A== X-Received: by 10.180.24.198 with SMTP id w6mr20034302wif.27.1356181413868; Sat, 22 Dec 2012 05:03:33 -0800 (PST) Original-Received: from bzg.localdomain (mar75-2-81-56-68-112.fbx.proxad.net. [81.56.68.112]) by mx.google.com with ESMTPS id bw9sm7582962wib.5.2012.12.22.05.03.32 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 22 Dec 2012 05:03:32 -0800 (PST) Original-Received: by bzg.localdomain (Postfix, from userid 1000) id 169311C20D56; Sat, 22 Dec 2012 14:03:33 +0100 (CET) In-Reply-To: <87d2y2w9j5.fsf@uwakimon.sk.tsukuba.ac.jp> (Stephen J. Turnbull's message of "Sat, 22 Dec 2012 21:34:06 +0900") User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 209.85.212.177 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:155760 Archived-At: "Stephen J. Turnbull" writes: > Xue Fuqiao writes: > > On Sat, 22 Dec 2012 06:07:19 +0100 > > Bastien wrote: > > > > > What about simply distributing, within GNU Emacs the > > > list of md5 hashes of valid(ated) packages? > > Doesn't solve any problems that I can see. You'll still need to > distribute the hashes for newly added or updated packages somehow. > People aren't going to reinstall Emacs just because of a package > update they might like to try, and even if they would, the burden on > the maintainers would be substantial. Well, if Emacs distributes the hashes and have a notion of certified package for some of the GNU ELPA packages, that's already a progress. I'm not expert, so I can't think of a better progress. Hopefully someone will come up with a better solution. -- Bastien