From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Samuel Wales Newsgroups: gmane.emacs.help Subject: Re: is melpa just unsigned? Date: Thu, 25 May 2023 23:07:18 -0700 Message-ID: References: <87sfbtkx1o.fsf@web.de> <871qjaeslh.fsf@dataswamp.org> <87o7mdxnn9.fsf@web.de> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="5674"; mail-complaints-to="usenet@ciao.gmane.io" Cc: help-gnu-emacs@gnu.org To: Daniel Fleischer Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Fri May 26 08:08:02 2023 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1q2QcM-0001EM-BU for geh-help-gnu-emacs@m.gmane-mx.org; Fri, 26 May 2023 08:08:02 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q2Qbo-00038L-TN; Fri, 26 May 2023 02:07:29 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q2Qbl-000380-Hf for help-gnu-emacs@gnu.org; Fri, 26 May 2023 02:07:25 -0400 Original-Received: from mail-lf1-x12d.google.com ([2a00:1450:4864:20::12d]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1q2Qbj-0005mA-Ou for help-gnu-emacs@gnu.org; Fri, 26 May 2023 02:07:25 -0400 Original-Received: by mail-lf1-x12d.google.com with SMTP id 2adb3069b0e04-4f3ba67864fso46830e87.0 for ; Thu, 25 May 2023 23:07:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685081240; x=1687673240; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EH2xzu4rDMtWbvX1iwRlsxEQ9TM+FMkle9c6JxRh034=; b=s4p0zrPff7JVF5AkpIpZjiBiwixVoRxO/G7o1QUs9EkARcOOHdZ0bBJ/KzjBPmLa5C Meu7KFi5gVKHgpj/Cim5zm/sWVStu/EAiBUt2fnOq9QNQk431QFfZUKlPt/LoJQlOrGT 41LGBp/UYbXP038w0rwFeEFpyR7ohMudu07CZhSF9e6xAdHgzJBsBPugsMlBVH5WUrfb INFK7EsMPoo8g0JoMglW8a4WXIsGjsZKEPSzWpAYvsS/e2EPkFwfsSA+/dp0mF0WnRzI PY1gP2xpNg17/Nvw8m2G5PlF5Nyj1W1lYrriyDD6c/QZykLO7M1RKtERXO98s1LJtas7 gPlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685081240; x=1687673240; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EH2xzu4rDMtWbvX1iwRlsxEQ9TM+FMkle9c6JxRh034=; b=N4XVgkzxOJUCXamgHwmr7QWzF1Z9fE2YZn7t2RmnfpQYgGrhwpK6DHGbx84YmYFvnS CXFf233z/Xxc6b8G/jb6TP/Rwuab9l6HbwhuN/RkTk6LYDvlpaVVrkkE9/7V8pQIYhZe +c1/jKuBAlMIaud6skfj3xb05f8YP9dlroRfCXsSl6eJjGuARxBtSxmXO+SGRUqhSyo8 A6yk3/YZu40cTGQRiRv8dJz2qmDE/Bcx4yfHu3qihgY3hqolMAMdPBt08KsXyxLer/kV htgB5llR7UKrkOtIL3rDILGIVdpWbsIccApwyyjSIUEHickCNj3mnkfEmB/HeaEafUH6 18Wg== X-Gm-Message-State: AC+VfDxxC+JLTT97iY5eShr7dmCxwrQMg0IVWA+uLb0RC2iNcEJZz99z VkPHssumRyecveKLhx60MeUX5mUztkpEIqUkjAo= X-Google-Smtp-Source: ACHHUZ7HPxDIyvJ1RNyeLg1URfx79ziE6Kc1K5HvjTVDUjGbNjR+yTRcyaIwGXVxPRDR5T+mbbcKhyDxJ7L5nTWmW4I= X-Received: by 2002:a2e:b5dc:0:b0:2b0:2214:f817 with SMTP id g28-20020a2eb5dc000000b002b02214f817mr295627ljn.3.1685081240073; Thu, 25 May 2023 23:07:20 -0700 (PDT) Original-Received: by 2002:a05:6520:17d7:b0:265:2782:6da8 with HTTP; Thu, 25 May 2023 23:07:18 -0700 (PDT) In-Reply-To: Received-SPF: pass client-ip=2a00:1450:4864:20::12d; envelope-from=samologist@gmail.com; helo=mail-lf1-x12d.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.help:143745 Archived-At: thank you to all. iiuc, these are my quick and tentative impressions/conclusions: - compared to e.g. debian, security is probably not widely considered a top priority in most of emacs community atm - big array of interesting pm options, both inside [pms, paradox] and outside [guix, nix, debian] of emacs - repos: i have chosen gnu elpa, non-gnu elpa, and package.el for now. they are signed. they are simple. - i would add elpa devel and nongnu elpa devel, but updating with U for some reason updates to those even when repo priorities are set with those lower priority than elpa and nongnu elpa - i don't really know much about non-gnu elpa or the devel repos - for other packages, idk. git clone from repo or so? idk. - i typically update packages every few years - answer to q is: melpa, not even package list, is probably not signed? - melpa probably isn't for me as i don't need its recency and would prefer signing or so. i like the vetting. - idk if quelpa, elpaca, etc. are for me; might or might not be; same with guix and nix. cannot investigate. - relying on debian might impede portability - probably no package / pm uses clever hacks to improve security or help user vet code or provenance - emacs wiki anybody can edit as a repo is a bit too radical for my taste - emacs mirror idk much about but maybe a pm can fetch, keeping the points of faiure to just one repo or so idk -- The Kafka Pandemic A blog about science, health, human rights, and misopathy: https://thekafkapandemic.blogspot.com