From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.devel Subject: Re: Proposal to include obligatory PGP verification of packages from any repository Date: Fri, 23 Oct 2020 19:59:15 +0300 Message-ID: References: <20201019174745.GJ19325@protected.rcdrun.com> <20201019190452.GO19325@protected.rcdrun.com> <20201019210205.GT19325@protected.rcdrun.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="36621"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/+ (1036f0e) (2020-10-18) Cc: "Philip K." , rms@gnu.org, thibaut.verron@gmail.com, mve1@runbox.com, emacs-devel@gnu.org, Stefan Kangas , Dmitry Gutov To: Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Oct 23 19:22:23 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kW0lj-0009PI-Ff for ged-emacs-devel@m.gmane-mx.org; Fri, 23 Oct 2020 19:22:23 +0200 Original-Received: from localhost ([::1]:51502 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kW0li-0000K4-HI for ged-emacs-devel@m.gmane-mx.org; Fri, 23 Oct 2020 13:22:22 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:56212) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kW0PS-0001zd-Rw for emacs-devel@gnu.org; Fri, 23 Oct 2020 12:59:22 -0400 Original-Received: from static.rcdrun.com ([95.85.24.50]:52119) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kW0PQ-0005FA-UK; Fri, 23 Oct 2020 12:59:22 -0400 Original-Received: from localhost ([::ffff:41.202.241.51]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002A0B3A.000000005F930BE6.00007013; Fri, 23 Oct 2020 16:59:17 +0000 Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/23 10:17:50 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:258372 Archived-At: * Stefan Monnier [2020-10-23 17:52]: > > I meant to make it as a rule to sign packages, and that is should be > > default in Emacs to accept only sign packages, that increases level of > > security rather than leaving it acceptable for users to get unsigned > > packages. It is definitely now everything about security, yet it is > > one level. > > IOW, you're just restating in other words your request to change > `package-check-signature` to t? Yes. > > My purpose was to tell you that if Emacs developers allow non-SSL by > > default that users are automatically put at certain risks and that is > > better to ask for SSL by default. > > And here you're suggesting that the default value of `package-archives` > should always use `https` regardless of the `gnutls-available-p`? I understand from that statement that probably not every platform will have gnutls or whatever other solution. Let me mention that in some countries governments forbid usage of various networks and software, also encryption software, in particular I have a friend in Iran and I know what can happen to a person. And networks are spied over. This means in particular that misunderstanding or usage of encryption tools could lead to unjust arrests and broken families. Loading some packages from Emacs could automatically trigger spying governments to abuse their citizens. Reference: https://security.stackexchange.com/questions/10992/encryption-laws-in-iran There are other similar cases easy to find on search engines. Now if that cannot be made default, then every non-SSL connection should give serious warning to a user and should even ask user if one wants to connect or not, because it is non-SSL. Such warning should give good reference that data is visible on network and prone to Big Brother's eyes. > > Packages are meant to be distributable as well, if they are signed, > > signature should be also fetched, but that is probably not original > > design of Emacs. In my opinion, it should be. Signatures should be > > inside of the package directory, > > ~/emcas.d/elpa/package-0.0/file.el.gpg > > This makes way too many assumptions to be worth discussing, IMO. > For the case of "single file ELPA package" (i.e. those files > distributed as a single .el file) maybe that can work without too much > trouble (tho there's still the issue of trusting the accompanying .elc > file), but for the more common packages distributed as tarballs, I think > this is completely impractical. Maybe tar can be signed as such? > A saner approach might be to keep a "cache" of the packages in their > original (not-installed) form and make that available as a "local ELPA > archive" from which you can redistribute those packages to > other machines. Yes. For me is no problem. I speak for wide user base. Ability for each ELPA to download full set of packages and keep it as local ELPA would be convenient for many users who do not have stable Internet. -- Jean Louis