From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.devel
Subject: Re: Proposal to include obligatory PGP verification of packages
 from any repository
Date: Fri, 23 Oct 2020 14:25:55 -0400
Message-ID: <jwvr1pox10k.fsf-monnier+emacs@gnu.org>
References: <20201019174745.GJ19325@protected.rcdrun.com>
 <jwvv9f6f664.fsf-monnier+emacs@gnu.org>
 <20201019190452.GO19325@protected.rcdrun.com>
 <jwvwnzmdlr8.fsf-monnier+emacs@gnu.org>
 <20201019210205.GT19325@protected.rcdrun.com>
 <jwvft69evmy.fsf-monnier+emacs@gnu.org>
 <X46UYoYjBolZy6sJ@protected.rcdrun.com>
 <jwveelq2frq.fsf-monnier+emacs@gnu.org>
 <X5KfsONdc7a4yAwb@protected.rcdrun.com>
 <jwvy2jxypp6.fsf-monnier+emacs@gnu.org>
 <X5ML499phSwyxEpD@protected.rcdrun.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="8616"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
Cc: "Philip K." <philipk@posteo.net>, rms@gnu.org, thibaut.verron@gmail.com,
 mve1@runbox.com, emacs-devel@gnu.org, Stefan Kangas <stefankangas@gmail.com>,
 Dmitry Gutov <dgutov@yandex.ru>
To: Jean Louis <bugs@gnu.support>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Oct 23 20:27:43 2020
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1kW1mw-000261-Sg
	for ged-emacs-devel@m.gmane-mx.org; Fri, 23 Oct 2020 20:27:42 +0200
Original-Received: from localhost ([::1]:35006 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1kW1mv-0002y5-TP
	for ged-emacs-devel@m.gmane-mx.org; Fri, 23 Oct 2020 14:27:41 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:48088)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1kW1lS-0001kR-Er
 for emacs-devel@gnu.org; Fri, 23 Oct 2020 14:26:11 -0400
Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:10368)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1kW1lI-00009S-VC; Fri, 23 Oct 2020 14:26:09 -0400
Original-Received: from pmg1.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
 by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id 70F55105CA6;
 Fri, 23 Oct 2020 14:25:59 -0400 (EDT)
Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id A1F09100267;
 Fri, 23 Oct 2020 14:25:57 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1603477557;
 bh=evVzkHIpphN1xo4PcF8g6cLLhdH+rOYbFQGEBmB2gE4=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=N9lkW/c6Shj7E5kNMRPSWPRDdd2zZbYutrOUeiONYappcDzCYL61vC1bQFcz446l+
 OKluqOFZooc3rzsRtL2n5j5c5J0AzbZoEbO3jziGJeTgASmyFdfxOQDCc3jTy3BOKK
 pKIkoDaRyjjTldmgHY47Y4EyVwBhk0nS4YC//6vNLmvVzfpzCMX02uL1WArPaf7PdQ
 iOLci2GuRkWlig8X6jaKy5ZwKL5wQIl8IrRGdSp7WwwD28Md0JB5saA/y3Yq1Y5VdZ
 AhNOyiWe7333uRbm+eoAS8HgHGiqsRkkBuf5OBicoNTN+G2UJUdpBTPWxOw7lLRKWs
 YtvXR0MHKNAPg==
Original-Received: from alfajor (unknown [157.52.9.240])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id DB81B120188;
 Fri, 23 Oct 2020 14:25:56 -0400 (EDT)
In-Reply-To: <X5ML499phSwyxEpD@protected.rcdrun.com> (Jean Louis's message of
 "Fri, 23 Oct 2020 19:59:15 +0300")
Received-SPF: pass client-ip=132.204.25.50;
 envelope-from=monnier@iro.umontreal.ca; helo=mailscanner.iro.umontreal.ca
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/23 10:33:03
X-ACL-Warn: Detected OS   = Linux 2.2.x-3.x [generic]
X-Spam_score_int: -42
X-Spam_score: -4.3
X-Spam_bar: ----
X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:258383
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/258383>

>> IOW, you're just restating in other words your request to change
>> `package-check-signature` to t?
> Yes.

I'm find with it, but it's not up to me and I think it will require more
code changes so that errors are reported in a way that's more friendly
to the user (e.g. so the users can figure out whether the problem is
with the signature, the lack of key, or the lack of GPG, for example).

I suggest you `M-x report-emacs-bug` with this specific request and
accompany it with a patch that improves the error handling.

>> > My purpose was to tell you that if Emacs developers allow non-SSL by
>> > default that users are automatically put at certain risks and that is
>> > better to ask for SSL by default.
>> And here you're suggesting that the default value of `package-archives`
>> should always use `https` regardless of the `gnutls-available-p`?
> I understand from that statement that probably not every platform will
> have gnutls or whatever other solution.

I believe it is available on all the platforms we support, but you can
build Emacs without support for it (and under Windows, IIUC, you can
build it with support for gnutls and later run it without libgnutls in
which case it'll behave pretty much as if it had been built without
support for gnutls).

> Let me mention that ...

Yes, you already said so, and I believe it's been common knowledge on
this mailing-list for a while.

>> This makes way too many assumptions to be worth discussing, IMO.
>> For the case of "single file ELPA package" (i.e. those files
>> distributed as a single .el file) maybe that can work without too much
>> trouble (tho there's still the issue of trusting the accompanying .elc
>> file), but for the more common packages distributed as tarballs, I think
>> this is completely impractical.
> Maybe tar can be signed as such?

It is.  But the installed files are not the tarball, and it's difficult
to reproduce the tarball from the installed files in order to check that
they still "match the signature".

>> A saner approach might be to keep a "cache" of the packages in their
>> original (not-installed) form and make that available as a "local ELPA
>> archive" from which you can redistribute those packages to
>> other machines.
> Yes.  For me is no problem.  I speak for wide user base.  Ability for
> each ELPA to download full set of packages and keep it as local ELPA
> would be convenient for many users who do not have stable Internet.

You can mirror GNU ELPA via rsync.


        Stefan