From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: Proposal to include obligatory PGP verification of packages from any repository Date: Fri, 23 Oct 2020 10:52:12 -0400 Message-ID: References: <20201019163827.GG19325@protected.rcdrun.com> <20201019174745.GJ19325@protected.rcdrun.com> <20201019190452.GO19325@protected.rcdrun.com> <20201019210205.GT19325@protected.rcdrun.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="2050"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Cc: "Philip K." , rms@gnu.org, thibaut.verron@gmail.com, mve1@runbox.com, emacs-devel@gnu.org, Stefan Kangas , Dmitry Gutov To: Jean Louis Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Oct 23 16:53:07 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kVyRH-0000Rg-Tw for ged-emacs-devel@m.gmane-mx.org; Fri, 23 Oct 2020 16:53:07 +0200 Original-Received: from localhost ([::1]:47416 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kVyRG-0003BM-UP for ged-emacs-devel@m.gmane-mx.org; Fri, 23 Oct 2020 10:53:06 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:48514) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kVyQX-0002Gn-Ji for emacs-devel@gnu.org; Fri, 23 Oct 2020 10:52:21 -0400 Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:20989) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kVyQU-0004U0-Gm; Fri, 23 Oct 2020 10:52:20 -0400 Original-Received: from pmg1.iro.umontreal.ca (localhost.localdomain [127.0.0.1]) by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id 64293105CA6; Fri, 23 Oct 2020 10:52:16 -0400 (EDT) Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1]) by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id 99081100267; Fri, 23 Oct 2020 10:52:14 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca; s=mail; t=1603464734; bh=6CTOA8t/nMG4qRIO4g1G+AfzizlnkaiDcObOiduH9DU=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=exIUrEA1jDk7Hm3j16jZIfFGd68+ql8FloUCRry4J1I/g/RRSBzjaY9BaAs/KFmLr 7JFOxC1VRoushTlx5nQwbVnmbRznckwCnIJoW4e+q3m9yGLZMKPMiqryn3pe0SQA6u e2/Pp2piky5RBIZ1VGehOVXygym6OiN8YCXsnRgQCvBl+k9T0jK7g3Wf0rvLEcAUCy s2IDeaPMskH9y4NO2Dha0K7F0aYWy0EGCmI2hbTtvxGmVdDu/wMw9uzPMyxu27rBMF NkTtqzA9WP1c8cIWEnJPwtzGvdDfvR4qxWsfx1Ztz3HumHpSVvU7XHYWUvOWxqa/Wq eRuc0KFFVUY4Q== Original-Received: from alfajor (unknown [157.52.9.240]) by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 42AB6120384; Fri, 23 Oct 2020 10:52:14 -0400 (EDT) In-Reply-To: (Jean Louis's message of "Fri, 23 Oct 2020 12:17:36 +0300") Received-SPF: pass client-ip=132.204.25.50; envelope-from=monnier@iro.umontreal.ca; helo=mailscanner.iro.umontreal.ca X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/23 10:33:03 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Spam_score_int: -42 X-Spam_score: -4.3 X-Spam_bar: ---- X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:258359 Archived-At: > I meant to make it as a rule to sign packages, and that is should be > default in Emacs to accept only sign packages, that increases level of > security rather than leaving it acceptable for users to get unsigned > packages. It is definitely now everything about security, yet it is > one level. IOW, you're just restating in other words your request to change `package-check-signature` to t? > My purpose was to tell you that if Emacs developers allow non-SSL by > default that users are automatically put at certain risks and that is > better to ask for SSL by default. And here you're suggesting that the default value of `package-archives` should always use `https` regardless of the `gnutls-available-p`? > So GNU Emacs users should maybe trust blindly packages from ELPA, but > not all packages by default. To trust other packages they should be > able transparently to import GPG keys and be able to see the > fingerprints. IIUC I basically said the same earlier when I explained that maybe one reason Melpa still doesn't sign its files is the lack of a clean/good way for the user to add Melpa's keys to `package.el`s keyring. Patches welcome in this area. > Packages are meant to be distributable as well, if they are signed, > signature should be also fetched, but that is probably not original > design of Emacs. In my opinion, it should be. Signatures should be > inside of the package directory, > ~/emcas.d/elpa/package-0.0/file.el.gpg This makes way too many assumptions to be worth discussing, IMO. For the case of "single file ELPA package" (i.e. those files distributed as a single .el file) maybe that can work without too much trouble (tho there's still the issue of trusting the accompanying .elc file), but for the more common packages distributed as tarballs, I think this is completely impractical. A saner approach might be to keep a "cache" of the packages in their original (not-installed) form and make that available as a "local ELPA archive" from which you can redistribute those packages to other machines. My impression is that this would be better served by a separate package than by trying to add the feature directly to `package.el`, especially since I suspect it would remain a fairly unusual scenario. Stefan