From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Samuel Wales Newsgroups: gmane.emacs.help Subject: is melpa just unsigned? Date: Wed, 17 May 2023 21:21:52 -0700 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="36874"; mail-complaints-to="usenet@ciao.gmane.io" To: help-gnu-emacs Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Thu May 18 06:22:37 2023 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pzV9x-0009Px-2i for geh-help-gnu-emacs@m.gmane-mx.org; Thu, 18 May 2023 06:22:37 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pzV9U-0002tl-S0; Thu, 18 May 2023 00:22:08 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzV9P-0002tG-Vb for help-gnu-emacs@gnu.org; Thu, 18 May 2023 00:22:04 -0400 Original-Received: from mail-lf1-x12a.google.com ([2a00:1450:4864:20::12a]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pzV9J-0003Bq-FR for help-gnu-emacs@gnu.org; Thu, 18 May 2023 00:22:01 -0400 Original-Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-4f3a3ea4f79so56433e87.0 for ; Wed, 17 May 2023 21:21:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684383713; x=1686975713; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NONl2zYXE3I21NshkM2w0eKAufX9/Si549DGzJp6tKc=; b=j//zXe7PGrTD3GTxIZ+GCB6TPecraZp6UaENohBi6e1tXC1hH1CGPumtU7TgKMKPm/ jnR1wSGAJkNRUd1tWMf8W0oQMNpOGmohw9KKG4Y1YfT8kBFmXqF9WBgwbZRSKMFJxRjY 0RV01icrszz6g2dLd1pCrWbiwuuoOmQvbw1Bd8SOohH2wc3miqW8Nl+N2oVX1si7akEC 5QJmOyAueehZCNlURqV6bW7UTk8606mN47AMumc5qUe16NVD2v/Sd5nMQpiwc9YsEImP Fdh5fcSObuyK4C8LS09bQCs9pkWfGtzmUaaUCk0wHy2qBhPNkfkpSchVVJFz9RGLxcgh KBWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684383713; x=1686975713; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NONl2zYXE3I21NshkM2w0eKAufX9/Si549DGzJp6tKc=; b=LNpvt/eeYystNJmbB3ooDidu7yjIge5aQ2NCc3Q+SQHrEbQPZPehzgmtedzt5SeLox syFpqnceS+17n8QjYSoj3X/0yKPCsDgp+FWBpZ8YrBh35l0irI8xSS2DZggt9fjHDnQ+ /L/PPTJ/zuukkdtwokKESdQkEiq1RtGx+ejd05hHZdLVenm13+3qHCZx+9YfdeY0uvrd 40HPU6azJOnoHW5tLmCnZcASxRrd8NzpPtX7KcAy4AvxgsHYIPZaRKCVC+zlBxghKkjg 3umSoby71ydE6bJrT7qIT5w1deqZDx4tYfZaKNwBskuRIocapuFEMFhdr6GBVM0w7XXe tomQ== X-Gm-Message-State: AC+VfDy7WFtUAy7T6a22vPE9eW0b8np3Qbhbi6nHCi+I+O2Guni61J3u xcKtKz2qV7TI4eBB0Vu0IrczWuYM4sDIKv5KzVP03wEcYXvnQ4SG X-Google-Smtp-Source: ACHHUZ52qsJVT7Krq3jxCQJroMVT4HE6IZKyOTA2aGEEgkVA4amZU0i991l0xc4bWwbbaIPIDushBVjrfB09xd9ORxQ= X-Received: by 2002:a19:ae17:0:b0:4ef:e7cb:7fbb with SMTP id f23-20020a19ae17000000b004efe7cb7fbbmr1580548lfc.4.1684383713030; Wed, 17 May 2023 21:21:53 -0700 (PDT) Original-Received: by 2002:a05:6520:2dcf:b0:263:96a6:b108 with HTTP; Wed, 17 May 2023 21:21:52 -0700 (PDT) Received-SPF: pass client-ip=2a00:1450:4864:20::12a; envelope-from=samologist@gmail.com; helo=mail-lf1-x12a.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.help:143641 Archived-At: i can't seem to find out whether melpa is just plain unsigned as part of its design, or if the archive-contents file is just plain unsigned and packages might or might not be, or if the archive-contents file is supposed to be signed but is not. as a debian user, i am used to all packages AND the package list being signed [i think]. i do not know all the security implications of not signing an archive list, but it sounds dodgy. in any case, the error should definitely not be there? if the archive contents file is not signed, what does htis mean in practice? what are the attack vectors? am i going to have to inspect every line of code in all packages? this isn't practical. it seems gnu elpa is all signed and sealed and delivered. so i feel comfortable inasmuch as that helps. why not melpa? but gnu elpa does not have the packages that i need. i am new to packages. i just upgraded to 27.1 and getting lots of bugs and glitches. i hope i can get some wisdom from this list on the above questions. in particular, why am i getting that error and does melpa sign its package archive? thanks. please cc: me. On 5/17/23, Samuel Wales wrote: > i tried everything suggested i coud find on the web and i still get: > > Unsigned file =E2=80=98archive-contents=E2=80=99 at https://melpa.org/p= ackages/ [2 times] > > whenever i try to list-packages. package-refresh-contents resilts in > > Failed to download =E2=80=98melpa=E2=80=99 archive. > > i have tried renaming ~/.emacs.d/elpa, the melpa subdir, the gnupg > subdir. the gnupg subdir ends up with different contents each time i > try it, it seems. any help apprecited. > > On 5/16/23, Samuel Wales wrote: >> i am the king of writing help messages to this list that do not get >> replied to. i am trying to make them comprehensible and answerable >> but there are often significant limitations. >> >> On 5/15/23, Samuel Wales wrote: >>> ;; [2023-05-15 Mon] >>> ;; i am new to emacs packages, but not new to emacs >>> ;; i recently upgraded to emacs 27 >>> ;; i followed these instructions from melpa: >>> (require 'package) >>> (add-to-list 'package-archives '("melpa" . >>> "https://melpa.org/packages/") >>> t) >>> (setq package-check-signature 'all) >>> (package-initialize) >>> ;; i installed gnu-elpa-keyring-update from elpa >>> ;; problems: >>> ;; 1. startup takes 9s instead of 4s >>> ;; 2. when i do m-x list-packages, i get error in echo area. >>> messages buffer says: >>> ;; Importing package-keyring.gpg...done >>> ;; Package refresh done >>> ;; error in process sentinel: Unsigned file =E2=80=98archive-contents= =E2=80=99 at >>> https://melpa.org/packages/ [2 times] >>> ;; package list shows up, but it does not seem wise to install >>> anything. >>> >>> >>> -- >>> The Kafka Pandemic >>> >>> A blog about science, health, human rights, and misopathy: >>> https://thekafkapandemic.blogspot.com >>> >> >> >> -- >> The Kafka Pandemic >> >> A blog about science, health, human rights, and misopathy: >> https://thekafkapandemic.blogspot.com >> > > > -- > The Kafka Pandemic > > A blog about science, health, human rights, and misopathy: > https://thekafkapandemic.blogspot.com > --=20 The Kafka Pandemic A blog about science, health, human rights, and misopathy: https://thekafkapandemic.blogspot.com