From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Mon, 17 Jun 2013 10:34:37 -0400 Message-ID: References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com> <87zk0ljaub.fsf@lifelogs.com> <87wqvng299.fsf@lifelogs.com> <87ip77y2s9.fsf@Rainer.invalid> <871u815wkz.fsf@uwakimon.sk.tsukuba.ac.jp> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1371479728 21120 80.91.229.3 (17 Jun 2013 14:35:28 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 17 Jun 2013 14:35:28 +0000 (UTC) Cc: emacs-devel@gnu.org To: "Stephen J. Turnbull" Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jun 17 16:35:28 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1UoaWl-000606-9g for ged-emacs-devel@m.gmane.org; Mon, 17 Jun 2013 16:35:27 +0200 Original-Received: from localhost ([::1]:52776 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UoaWk-0008Lx-U1 for ged-emacs-devel@m.gmane.org; Mon, 17 Jun 2013 10:35:26 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45108) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UoaW0-00073P-0n for emacs-devel@gnu.org; Mon, 17 Jun 2013 10:34:41 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UoaVy-0003ZW-RI for emacs-devel@gnu.org; Mon, 17 Jun 2013 10:34:39 -0400 Original-Received: from ironport2-out.teksavvy.com ([206.248.154.182]:40935) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UoaVy-0003ZM-NO for emacs-devel@gnu.org; Mon, 17 Jun 2013 10:34:38 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av4EABK/CFFFpZVy/2dsb2JhbABEvw4Xc4IeAQEEAVYjBQsLNBIUGA0kiB4GwS2RCgOkeoFegxOBSiI X-IPAS-Result: Av4EABK/CFFFpZVy/2dsb2JhbABEvw4Xc4IeAQEEAVYjBQsLNBIUGA0kiB4GwS2RCgOkeoFegxOBSiI X-IronPort-AV: E=Sophos;i="4.84,565,1355115600"; d="scan'208";a="16554180" Original-Received: from 69-165-149-114.dsl.teksavvy.com (HELO pastel.home) ([69.165.149.114]) by ironport2-out.teksavvy.com with ESMTP/TLS/ADH-AES256-SHA; 17 Jun 2013 10:34:33 -0400 Original-Received: by pastel.home (Postfix, from userid 20848) id CDC4F63C9B; Mon, 17 Jun 2013 10:34:37 -0400 (EDT) In-Reply-To: <871u815wkz.fsf@uwakimon.sk.tsukuba.ac.jp> (Stephen J. Turnbull's message of "Mon, 17 Jun 2013 10:56:28 +0900") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 206.248.154.182 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:160501 Archived-At: >> And maybe automatically eliminate an archive from that "not signed" >> list if we ever find a signature in it. > If this is about security rather than adding to your BrightShinyThings > collection, you should have a signed-and-verified-and-checked-for- > expired-or-revoked-on-$DATE list, and eliminate any packages from the > list if they fail any of the hyphenated conditions. We're really far from that. The config under discussion is one that indicates whether it's normal that the archive (the whole archive, not a specific package) doesn't have signatures. Stefan