is melpa just unsigned?

unofficial mirror of help-gnu-emacs@gnu.org
 help / color / mirror / Atom feed

From: Samuel Wales <samologist@gmail.com>
To: help-gnu-emacs <help-gnu-emacs@gnu.org>
Subject: is melpa just unsigned?
Date: Wed, 17 May 2023 21:21:52 -0700	[thread overview]
Message-ID: <CAJcAo8u5LWaLsgMNM-gPuhmRGTD+GYs3-=N-J0WypO5kbjqYiA@mail.gmail.com> (raw)

i can't seem to find out whether melpa is just plain unsigned as part
of its design, or if the archive-contents file is just plain unsigned
and packages might or might not be, or if the archive-contents file is
supposed to be signed but is not.

as a debian user, i am used to all packages AND the package list being
signed [i think].  i do not know all the security implications of not
signing an archive list, but it sounds dodgy.  in any case, the error
should definitely not be there?

if the archive contents file is not signed, what does htis mean in
practice?  what are the attack vectors?

am i going to have to inspect every line of code in all packages?
this isn't practical.

it seems gnu elpa is all signed and sealed and delivered.  so i feel
comfortable inasmuch as that helps.  why not melpa?

but gnu elpa does not have the packages that i need.  i am new to
packages.  i just upgraded to 27.1 and getting lots of bugs and
glitches.  i hope i can get some wisdom from this list on the above
questions.

in particular, why am i getting that error and does melpa sign its
package archive?  thanks.  please cc: me.

On 5/17/23, Samuel Wales <samologist@gmail.com> wrote:
> i tried everything suggested i coud find on the web and i still get:
>
>   Unsigned file ‘archive-contents’ at https://melpa.org/packages/ [2 times]
>
> whenever i try to list-packages.  package-refresh-contents resilts in
>
>   Failed to download ‘melpa’ archive.
>
> i have tried renaming ~/.emacs.d/elpa, the melpa subdir, the gnupg
> subdir.  the gnupg subdir ends up with different contents each time i
> try it, it seems.  any help apprecited.
>
> On 5/16/23, Samuel Wales <samologist@gmail.com> wrote:
>> i am the king of writing help messages to this list that do not get
>> replied to.  i am trying to make them comprehensible and answerable
>> but there are often significant limitations.
>>
>> On 5/15/23, Samuel Wales <samologist@gmail.com> wrote:
>>>   ;; [2023-05-15 Mon]
>>>   ;; i am new to emacs packages, but not new to emacs
>>>   ;; i recently upgraded to emacs 27
>>>   ;; i followed these instructions from melpa:
>>>   (require 'package)
>>>   (add-to-list 'package-archives '("melpa" .
>>> "https://melpa.org/packages/")
>>> t)
>>>   (setq package-check-signature 'all)
>>>   (package-initialize)
>>>   ;; i installed gnu-elpa-keyring-update from elpa
>>>   ;; problems:
>>>   ;; 1.  startup takes 9s instead of 4s
>>>   ;; 2.  when i do m-x list-packages, i get error in echo area.
>>> messages buffer says:
>>>   ;; Importing package-keyring.gpg...done
>>>   ;; Package refresh done
>>>   ;; error in process sentinel: Unsigned file ‘archive-contents’ at
>>> https://melpa.org/packages/ [2 times]
>>>   ;; package list shows up, but it does not seem wise to install
>>> anything.
>>>
>>>
>>> --
>>> The Kafka Pandemic
>>>
>>> A blog about science, health, human rights, and misopathy:
>>> https://thekafkapandemic.blogspot.com
>>>
>>
>>
>> --
>> The Kafka Pandemic
>>
>> A blog about science, health, human rights, and misopathy:
>> https://thekafkapandemic.blogspot.com
>>
>
>
> --
> The Kafka Pandemic
>
> A blog about science, health, human rights, and misopathy:
> https://thekafkapandemic.blogspot.com
>

-- 
The Kafka Pandemic

A blog about science, health, human rights, and misopathy:
https://thekafkapandemic.blogspot.com

next             reply	other threads:[~2023-05-18  4:21 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-18  4:21 Samuel Wales [this message]
2023-05-19  0:02 ` is melpa just unsigned? Michael Heerdegen
2023-05-20 19:00   ` Emanuel Berg
2023-05-21 23:36     ` Michael Heerdegen
2023-05-23  2:53       ` Samuel Wales
2023-05-23  3:17         ` Platon Pronko
2023-05-23  3:21         ` [External] : " Drew Adams
2023-05-23 17:47         ` Daniel Fleischer
2023-05-26  6:07           ` Samuel Wales
2023-05-29 13:12           ` Björn Bidar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAJcAo8u5LWaLsgMNM-gPuhmRGTD+GYs3-=N-J0WypO5kbjqYiA@mail.gmail.com' \
    --to=samologist@gmail.com \
    --cc=help-gnu-emacs@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).