From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Nathan Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Sun, 6 Jan 2013 22:20:59 -0800 Message-ID: References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com> <87bod1h7d3.fsf@gmail.com> <87pq1h4j8w.fsf@gmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=f46d042fd7262d466204d2acd5aa X-Trace: ger.gmane.org 1357539666 27241 80.91.229.3 (7 Jan 2013 06:21:06 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 7 Jan 2013 06:21:06 +0000 (UTC) Cc: emacs-devel@gnu.org To: Jambunathan K Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jan 07 07:21:23 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Ts65J-0003Di-KT for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 07:21:21 +0100 Original-Received: from localhost ([::1]:49698 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts653-0006a1-VA for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 01:21:05 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:55890) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts64z-0006Zr-Kw for emacs-devel@gnu.org; Mon, 07 Jan 2013 01:21:04 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Ts64y-0005fF-7p for emacs-devel@gnu.org; Mon, 07 Jan 2013 01:21:01 -0500 Original-Received: from mail-vb0-f50.google.com ([209.85.212.50]:64400) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts64y-0005fB-2Y for emacs-devel@gnu.org; Mon, 07 Jan 2013 01:21:00 -0500 Original-Received: by mail-vb0-f50.google.com with SMTP id ft2so7307461vbb.9 for ; Sun, 06 Jan 2013 22:20:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rIxBUvfP6nCXwubAAu0/vFWZc6v+IL+O7HdgzEXm720=; b=vb82Yuoiuhifl0ivDOGe2t7nHMjkzaS6nitdC2618+zNl6hF6IOpmaAghu/IjKhPl4 vkkz46aen1GzJNjMDFypZwNFC27WMa6v7rKkO7GCQJ18AGygAhStsrI1X5lQ0lRcWWhI UJIcCohd2kr+FX23tsK02Q6jdn5DKxrQfZBDeNuZ2uUhhHbn/OPEzTAv460vHHiBrm/a 3KbTBdNR3qtsfjc8NWx0K3kz9AH1UZ6v6ov+GB+I13YhncSyVnf5qowfOWfAETpeoLna 5ynblyNv1OARBZ3Guf5JPxoKCYujl7tpoFKTjuAZjGAnDETTZcHymKMcXgetrXGEBxtj ig2w== Original-Received: by 10.220.115.19 with SMTP id g19mr81897411vcq.69.1357539659564; Sun, 06 Jan 2013 22:20:59 -0800 (PST) Original-Received: by 10.220.141.212 with HTTP; Sun, 6 Jan 2013 22:20:59 -0800 (PST) In-Reply-To: <87pq1h4j8w.fsf@gmail.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 209.85.212.50 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156108 Archived-At: --f46d042fd7262d466204d2acd5aa Content-Type: text/plain; charset=ISO-8859-1 On Sun, Jan 6, 2013 at 10:09 PM, Jambunathan K wrote: > > I am thinking how many of the existing ELPA repositories will go to the > extent of getting a signature from a legal entity. Mostly they are > "wannabe-s" or individual efforts. Unless I am entirely foolish, which is always possible, the idea of having a legal entity effective notarize the code is not the idea. The general idea is that the individual (or the package repository maintainer) would use GPG to sign their code (perhaps with bzr, git, hg, or directly with gpg), and this pub key would be available for the user to download, much like Launchpad does for the Debian infrastructure. I am pretty sure that reliability is not the concern in this thread, but protecting against malicious behavior, since public/private key crypto is under consideration. I am sure that if I am wrong in any of this, more learned and experienced emacs-devel members will instruct me. Kind regards, Paul --f46d042fd7262d466204d2acd5aa Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable


On Sun, Jan 6, 2013 at 10:09 PM, Jambunathan K <kjambunathan@gmai= l.com> wrote:

I am thinking how many of the existing ELPA repositories will go to t= he
extent of getting a signature from a legal entity. =A0Mostly they are
"wannabe-s" or individual efforts.


Unless I am entirely foolish, which is always = possible, the idea of having a legal entity effective notarize the code is = not the idea. The general idea is that the individual (or the package repos= itory maintainer) would use GPG to sign their code (perhaps with bzr, git, = hg, or directly with gpg), and this pub key would be available for the user= to download, much like Launchpad does for the Debian infrastructure.

I am pretty sure that reliability is n= ot the concern in this thread, but protecting against malicious behavior, s= ince public/private key crypto is under consideration.

I am sure that if I am wrong in any of this, more learned and experienced e= macs-devel members will instruct me.

Kind regards,
Paul
--f46d042fd7262d466204d2acd5aa--