Re: security of the emacs package system, elpa, melpa and marmalade

[Daiki Ueno <ueno@gnu.org>]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Mon, 23 Sep 2013 10:17:33 -0400 Stefan Monnier
> SM> The current state, AFAIK is that we decided that ELPA servers should
> SM> put *.gpg signatures alongside their tarballs and other files, signed
> SM> with an "archive" key.  This signature can be used to check that the
> SM> package you get indeed comes from that archive.
>
> SM> In terms of code, it's not implemented yet, AFAIK (IIRC Ted is working
> SM> on it).
>
> VERY slowly.  I tried to get back to it, only to find out (see other
> thread under subject "bad epg.el+GPG2 behavior: unavoidable passphrase
> pinentry prompt") that GPG2 is practically unusable.  Frustrating.

I don't see much relation between this and what Stefan is talking above.
For signature verification, passphrase prompt shouldn't be used, since
it does not require any secret key operation.

For signing with an "archive" key, do you really want to do that with
Emacs, instead of other handy scripting languages?

> As I've mentioned in the past, I dislike relying on an external binary
> like GPG to do encryption so this is pushing me again towards a more
> built-in Lispy way to do signing of packages.  Opinions welcome,
> especially if you can think of a way that Emacs can sign files in a
> similar way to GPG keys in Lisp.

I remember that you asked this in the past, and I answered that it might
make some sense as long as the code produces a signature in a
standardized format as GPG does.  You then responded that you didn't
have enough knowledge to implement it.

I don't think it is a constructive attitude to repeat the same argument
without any outcomes and even omitting the background.

Regards,
-- 
Daiki Ueno