From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.devel Subject: Re: Proposal to include obligatory PGP verification of packages from any repository Date: Mon, 19 Oct 2020 15:55:26 +0000 Message-ID: References: <20201012050418.GZ2923@protected.rcdrun.com> <20201013052736.GE31408@protected.rcdrun.com> <20201016130235.06218dae@argon> <87eelvplvh.fsf@posteo.net> <10bdf4ea-e365-cc3d-ec03-4348946fadbe@yandex.ru> <20201019124335.GC19325@protected.rcdrun.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="12336"; mail-complaints-to="usenet@ciao.gmane.io" Cc: mve1@runbox.com, "Philip K." , rms@gnu.org, thibaut.verron@gmail.com, emacs-devel@gnu.org To: Jean Louis , Dmitry Gutov Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Oct 19 17:57:13 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kUXX6-00036o-M3 for ged-emacs-devel@m.gmane-mx.org; Mon, 19 Oct 2020 17:57:12 +0200 Original-Received: from localhost ([::1]:57916 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kUXWw-00056s-Gq for ged-emacs-devel@m.gmane-mx.org; Mon, 19 Oct 2020 11:57:04 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:51828) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kUXVS-000477-TQ for emacs-devel@gnu.org; Mon, 19 Oct 2020 11:55:30 -0400 Original-Received: from mail-ed1-x543.google.com ([2a00:1450:4864:20::543]:45513) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kUXVR-00007G-Ba; Mon, 19 Oct 2020 11:55:30 -0400 Original-Received: by mail-ed1-x543.google.com with SMTP id dg9so10743707edb.12; Mon, 19 Oct 2020 08:55:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc:content-transfer-encoding; bh=OggbT5b/B73/fPehm2Wz4tA2ipkEoF+WpXMLh55oFiY=; b=IEzbXzyl7s5SSHQxZIgHumuFPHpGM1WavC5mrIwMiDmIMpjBwoWi5rnvH11BXLWL7J hIrIW4MSFGLOE8SnRMBmZpg747dxOIn7ff7zZZ9uLe2VIr7zaCFBjaIizFCyMFPHBLvt 16mvf9Y0v7dwDpcoAB1KPMxAWecyrn8E68oP3c+iIlfQeRIW+XrX3E1wR+dfZ/fgQOo3 mSrYQMn3FvcCrRX6yxVrr4L6BVMGlYw2pTZpmDqDsBOWUuOOOt4SisEU/Jsw5AIBBECN GOPL23z9weQJYJCnzm1M/nBx6YVWbQ5n1xrpS53QqncfRN754l9ttqpm1H2igtwVrs+s +vCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc:content-transfer-encoding; bh=OggbT5b/B73/fPehm2Wz4tA2ipkEoF+WpXMLh55oFiY=; b=kPhyR3z2NkK0wWvRFdOXq9XONmkoph/5ypCwn/wE87M7ftEdW3AaUFXmrAi7J6SVYN vK0hi+th+A9aqjEgwlzRz7fj2cUwgWY+OQ1XKxCv3Y84Ur/dVpnyQDTI9xQsGZen8CL3 4XN28AqXyAC3rjAbx2w3xSZkuXvLI4/oA8rEG1QxKUPIqOdgVk46QRtwTgR8dqlHqcsP COSyT/h43EZK1u1K5hzxW6qiDpi2eGjuZx+Hmlp04vcty2CC347BnEQopSW+hCugQvt4 52i1Zj8OWWYleF0RC0w+iZWO2b8ig0m2JZ52pxZKYQjaJZfqIvZu1LTNqD2T3OzjqiSa bz2g== X-Gm-Message-State: AOAM532bUnD22dQlHSmJe04qPw/fkYXssP3jv1uWkiLoOpJPP9aja7DG +9gms4a5b60yabttATJHQ3JXlJDK/XRf9Xv7rpo= X-Google-Smtp-Source: ABdhPJx6GoXzfkvnyVPeqMywcgHUy52Bixe7iUbKoClbDdcvgU7k3qOTca/IGpEiun9ipkSuc5TVZYONNnEp0fS0onE= X-Received: by 2002:aa7:d783:: with SMTP id s3mr489411edq.214.1603122927359; Mon, 19 Oct 2020 08:55:27 -0700 (PDT) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 19 Oct 2020 15:55:26 +0000 In-Reply-To: <20201019124335.GC19325@protected.rcdrun.com> Received-SPF: pass client-ip=2a00:1450:4864:20::543; envelope-from=stefankangas@gmail.com; helo=mail-ed1-x543.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:258128 Archived-At: Jean Louis writes: > One way to increase the security of your packages is to =E2=80=9Csign= =E2=80=9D them > using a cryptographic key. If you have generated a private/public gpg > key pair, you can use gpg to sign the package like this: > > gpg -ba -o FILE.sig FILE > > But it is not implemented into Emacs to verify packages being signed, > so my proposal is that Emacs get obligatory verification of a package > if such package is arriving from any repository and to warn user if > package was not signed. This would give initiative to MELPA to start > thinking about security issues. > > That is one of reasons why Hyperbola GNU/Linux-libre and other > GNU/Linux distributions package some major Emacs packages, as that way > the package maintainers verify the package before it is included in > the free software distribution. > > In the same manner Emacs should have a built-in package installation > procedure (that can be circumvented by users' configuration) to verify > all packages being installed by default. We have signing of packages on the package archive side that is verified by default when it exists. See `package-check-signature'. (If I'm not mistaken, GNU ELPA signs packages but MELPA doesn't. Please correct me if I'm wrong.) Note that package signatures still leaves us open to replay attacks. See Bug#19479 and the branch scratch/package-security for an attempt to improve the situation. I think it would be useful if package archives could implement a requirement for signed commits before building a new package. This could be optional or mandatory, and would buy us an additional layer of protection against compromised developer credentials.