From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Mon, 07 Jan 2013 22:07:05 -0500 Message-ID: References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com> <87zk0ljaub.fsf@lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1357614432 24093 80.91.229.3 (8 Jan 2013 03:07:12 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 8 Jan 2013 03:07:12 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Jan 08 04:07:29 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1TsPXC-0000ul-9C for ged-emacs-devel@m.gmane.org; Tue, 08 Jan 2013 04:07:26 +0100 Original-Received: from localhost ([::1]:33852 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TsPWw-0004T5-LJ for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 22:07:10 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:59523) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TsPWu-0004Sp-1N for emacs-devel@gnu.org; Mon, 07 Jan 2013 22:07:08 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TsPWt-0001fK-3L for emacs-devel@gnu.org; Mon, 07 Jan 2013 22:07:07 -0500 Original-Received: from ironport2-out.teksavvy.com ([206.248.154.182]:26057) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TsPWs-0001fE-Vd for emacs-devel@gnu.org; Mon, 07 Jan 2013 22:07:07 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AtkGAG6Zu09FxIzd/2dsb2JhbABEgXuyFoEIghUBAQQBVigLCzQSFBgNiEAFugmNJoMeA4hCmnGBWIMH X-IronPort-AV: E=Sophos;i="4.75,637,1330923600"; d="scan'208";a="212024060" Original-Received: from 69-196-140-221.dsl.teksavvy.com (HELO pastel.home) ([69.196.140.221]) by ironport2-out.teksavvy.com with ESMTP/TLS/ADH-AES256-SHA; 07 Jan 2013 22:07:06 -0500 Original-Received: by pastel.home (Postfix, from userid 20848) id D9B8D4E039; Mon, 7 Jan 2013 22:07:05 -0500 (EST) In-Reply-To: <87zk0ljaub.fsf@lifelogs.com> (Ted Zlatanov's message of "Mon, 07 Jan 2013 10:01:48 -0500") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 206.248.154.182 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156131 Archived-At: > Yes, I think that's the agreement. I'd rather keep a .sig for every > file instead of signing the whole package, because then you can package > the whole directory in one tarball or distribute it as source, but > that's a technicality IMO. The tarball contains nothing else than the source, and it can only be downloaded as a whole, so there's no point signing each file in a tarball individually. > I'd like to settle the signing keys (will it be the authors or a group > of GNU ELPA maintainers?); The signing will not guarantee any kind of code quality, it will only guarantee "this comes from the real GNU ELPA". So the signing key will be a "GNU ELPA" key. > `archive-contents' (will its format change?); Yes and no: each entry in it will have one more optional field containing the signature. AFAIK it should be backward compatible, so it's a change, but will still work with older package.el. Stefan