From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.devel Subject: Making `package-check-signature' more restrictive by default Date: Sat, 18 Feb 2023 03:54:22 -0800 Message-ID: References: <8735hatt4m.fsf@alshehhi.io> <87fsblfuc6.fsf@localhost> <87wn4gd232.fsf@localhost> <87a61bkzq9.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="30704"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Husain Alshehhi , emacs-devel@gnu.org To: Ihor Radchenko Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Feb 18 12:55:00 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pTLnu-0007mp-4z for ged-emacs-devel@m.gmane-mx.org; Sat, 18 Feb 2023 12:54:58 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pTLnQ-00062I-G0; Sat, 18 Feb 2023 06:54:28 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pTLnP-000625-54 for emacs-devel@gnu.org; Sat, 18 Feb 2023 06:54:27 -0500 Original-Received: from mail-oa1-x2b.google.com ([2001:4860:4864:20::2b]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pTLnN-0005C9-Iq for emacs-devel@gnu.org; Sat, 18 Feb 2023 06:54:26 -0500 Original-Received: by mail-oa1-x2b.google.com with SMTP id 586e51a60fabf-171a56a5d1aso1006366fac.5 for ; Sat, 18 Feb 2023 03:54:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=wfxMz3uqrbraOX6VSSVbSGR4JkL5Mpp9LB0MXXwhcDQ=; b=JtK1iLxZ8ocLa5nY8LmbkNbF5FbITC8NCmH6r4+cAVmXuGsgexfwJtEIuZw5zhSHja LisdUC3W3+3JGOxUBIvVVeNIbtb/wLkNhkukegHdBCg+BYqbLakpkCrX7/qMtYA+g7wZ dNEqJcuiZchNqa/XeRD2OFO0zuCqMfMpOCHaM4xkyLx34cH/Z0S2IRmqd/cqZYg+J66A DNkpT8xw3MpxzHfT8CgCoX/EXj8Bbc2EIFYKOzJeVE//RbxOlFO5u+f0G0xWrvGGambc EIc0iOzfENkWPxA3b1xYUDLfISKgAEEXtAu5okm4QDRVBAedFT5uKZqtJDozHBsq1TcB IFNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wfxMz3uqrbraOX6VSSVbSGR4JkL5Mpp9LB0MXXwhcDQ=; b=kikowvP0zhd7eBIadktetgZHU8AmdeSw3qSZjYpr2bAPgTtw404IeoLriwPouFEgWO 35oxEzzqhbRT9Kt7ooYMv0QoCE1uOwoVM6kIGcLOSZcN0KjXOYECX2cC9XqlIVve3XUK jkup9KyS5dNkOsHP0PnHSemDoL3KoBiAdfQa8dqXc/3W81bZf0lsVePZeVu6Alyz1SaL CMUOZNB16scdQMmU7FLwGud2eVqShI7YrS6FmiNYIhIVWh/pqPQCNvVcE29GUFv7wbs6 2/8BOeYVjD8VHat7YX2I34Swz7gUmi9acCg/uMe3LlYbbIE9B37eDSOoou2UQcNUc7zp 6Abg== X-Gm-Message-State: AO0yUKWZUGuBnLYso9MPXKOrMSGbvV6gHlWahJM5DWX/8+tDjSMRkI18 WY5m8J1o0KOhnIhhluPAClGW0PTqpoOSPeloRUs= X-Google-Smtp-Source: AK7set9A9WABvhgGlwwrdHzbXuYtCHp5OKBSidWgzNhEu2dYc7KKF/q754qDQ1A5p2WKjzkjmmrmsXel7vQ4jbFmX/E= X-Received: by 2002:a05:6870:968b:b0:16f:edf8:6210 with SMTP id o11-20020a056870968b00b0016fedf86210mr473980oaq.291.1676721263010; Sat, 18 Feb 2023 03:54:23 -0800 (PST) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Sat, 18 Feb 2023 03:54:22 -0800 In-Reply-To: <87a61bkzq9.fsf@localhost> X-Hashcash: 1:20:230218:husain@alshehhi.io::JQKWiTjC+lW+ZZeg:8pq5 Received-SPF: pass client-ip=2001:4860:4864:20::2b; envelope-from=stefankangas@gmail.com; helo=mail-oa1-x2b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303527 Archived-At: Ihor Radchenko writes: > If the default is t, users will be forced to have OpenPGP installed. > Maybe the default should be like t, but only when OpenPGP is available. Right. And if we want to make a change like this, I think we should make sure to coordinate with the MELPA folks as well. It would be unfortunate if the first thing MELPA users did was to turn this off. Once that is done, perhaps something like this could work? diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el index a0bb5e75393..763f0dcadd0 100644 --- a/lisp/emacs-lisp/package.el +++ b/lisp/emacs-lisp/package.el @@ -345,7 +345,7 @@ package-gnupghome-dir :risky t :version "26.1") -(defcustom package-check-signature 'allow-unsigned +(defcustom package-check-signature (and (epg-find-configuration 'OpenPGP) t) "Non-nil means to check package signatures when installing. This also applies to the \"archive-contents\" file that lists the