Re: Public key for verifying emacs sources?

unofficial mirror of help-gnu-emacs@gnu.org
 help / color / mirror / Atom feed

From: Jean Louis <bugs@gnu.support>
To: Eli Zaretskii <eliz@gnu.org>
Cc: help-gnu-emacs@gnu.org
Subject: Re: Public key for verifying emacs sources?
Date: Sun, 18 Jul 2021 14:38:07 +0300	[thread overview]
Message-ID: <YPQSn3XSMPgB41S5@protected.localdomain> (raw)
In-Reply-To: <83mtqk2jj7.fsf@gnu.org>

* Eli Zaretskii <eliz@gnu.org> [2021-07-18 10:02]:
> > Date: Sat, 17 Jul 2021 21:44:31 -0400
> > From: Steve Revilak <steve@srevilak.net>
> > 
> > Where can I find a copy of the signing key, so I can verify the source
> > distribution I've downloaded?
> 
> Download the latest gnu-keyring.gpg from
> https://ftp.gnu.org/gnu/gnu-keyring.gpg, then type:
> 
>    gpg --import gnu-keyring.gpg
> 
> Then try verifying the signature again.

Me too, I have done the import and I see large number of keys. While
it is good that keys are distributed from official GNU.org server,
there is no published assurance that GNU project verified each key to
belong to the person it should belong. Thus one shall not forget
security depends on the weakest part.

In other words, verifying that package belongs to specific key is one
level of security, it does not verify that key belongs to the specific
author that package claim to belong unless both sender and receipient
verify each other's personal identity and fingerprints.

Better security than PGP for Emacs packages on GNU ELPA represents the
fact that many developers and users are looking into packages anyway.

IMHO, PGP in the GNU ELPA is kind of redundant as the true
verification of the keys and fingerprints would be rather tedious
activity.

Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/

next prev parent reply	other threads:[~2021-07-18 11:38 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-18  1:44 Public key for verifying emacs sources? Steve Revilak
2021-07-18  7:00 ` Eli Zaretskii
2021-07-18 11:38   ` Jean Louis [this message]
2021-07-18 12:05     ` Eli Zaretskii
2021-07-18 14:08   ` Steve Revilak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YPQSn3XSMPgB41S5@protected.localdomain \
    --to=bugs@gnu.support \
    --cc=eliz@gnu.org \
    --cc=help-gnu-emacs@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).