From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.devel
Subject: Re: Release-critical bugs
Date: Wed, 24 Sep 2014 11:04:25 -0400
Message-ID: <jwvppelul4v.fsf-monnier+emacs@gnu.org>
References: <87mw9yb2f8.fsf@engster.org> <arvbomvxvs.fsf@fencepost.gnu.org>
	<87a95pnn8n.fsf@lifelogs.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1411571100 2966 80.91.229.3 (24 Sep 2014 15:05:00 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 24 Sep 2014 15:05:00 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Sep 24 17:04:55 2014
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1XWo7c-0008E3-NK
	for ged-emacs-devel@m.gmane.org; Wed, 24 Sep 2014 17:04:48 +0200
Original-Received: from localhost ([::1]:60388 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1XWo7c-0004BJ-Av
	for ged-emacs-devel@m.gmane.org; Wed, 24 Sep 2014 11:04:48 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36059)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1XWo7T-00048Y-Bg
	for emacs-devel@gnu.org; Wed, 24 Sep 2014 11:04:44 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1XWo7L-0000Wn-AJ
	for emacs-devel@gnu.org; Wed, 24 Sep 2014 11:04:39 -0400
Original-Received: from ironport2-out.teksavvy.com ([206.248.154.181]:9982)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1XWo7L-0000Vj-6h
	for emacs-devel@gnu.org; Wed, 24 Sep 2014 11:04:31 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArYGAIDvNVOnWBcZ/2dsb2JhbABZgwY7gw/APYEXF3SCJQEBAQECAVYoCwsUIBIUGA2IKAgN0gwXjwEWhCIEmgGRAoNMIQ
X-IPAS-Result: ArYGAIDvNVOnWBcZ/2dsb2JhbABZgwY7gw/APYEXF3SCJQEBAQECAVYoCwsUIBIUGA2IKAgN0gwXjwEWhCIEmgGRAoNMIQ
X-IronPort-AV: E=Sophos;i="4.97,753,1389762000"; d="scan'208";a="90758226"
Original-Received: from 167-88-23-25.cpe.teksavvy.com (HELO pastel.home)
	([167.88.23.25])
	by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA;
	24 Sep 2014 11:04:25 -0400
Original-Received: by pastel.home (Postfix, from userid 20848)
	id 315A460664; Wed, 24 Sep 2014 11:04:25 -0400 (EDT)
In-Reply-To: <87a95pnn8n.fsf@lifelogs.com> (Ted Zlatanov's message of "Wed, 24
	Sep 2014 09:48:08 -0400")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 206.248.154.181
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:174691
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/174691>

>   http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17625 [i|*| ] [emacs] details
> of package signing mechanism 
>   Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>; Date: Thu, 29
> May 2014 03:12:01 UTC; Severity: important; Tags: security; Found in version
> 24.4.50; Filed 118 days
>   ago; Modified 89 days ago; 

> Daiki Ueno made some fixes. Stefan got the detailed steps for generating
> a package signature and we need at least one package plus the
> archive-contents signed by the maintainer in the GNU ELPA to test the
> client behavior. This seems OK to me as far as the code.

> Stefan suggested some behavior changes that we can implement and test
> easily, but are not IMO critical for the release.

The GNU ELPA archive is now signed and the emacs-24 branch comes with
the corresponding public public key.  In my tests, this works OK, but
please try to install packages from GNU ELPA with and without GPG
installed, and try it also with package-check-signature set to t.


        Stefan