* no gnupg directory under elpa?
@ 2014-05-27 4:16 Eric Abrahamsen
2014-05-28 9:33 ` Thien-Thi Nguyen
0 siblings, 1 reply; 6+ messages in thread
From: Eric Abrahamsen @ 2014-05-27 4:16 UTC (permalink / raw)
To: help-gnu-emacs
I'm using git Emacs. Apparently there's supposed to be a gnupg directory
under elpa, where signatures are stored, is that right? All my installed
packages are bright red and say "unsigned" on them, which is
disconcerting. Have I missed some step in package initialization, or is
this just because no one has provided signatures with their packages?
I've downloaded and loaded the elisp-code-keyring.gpg from gnu.org, and
my package-check-signature is set to the default 'allow-unsigned. I'm
not doing anything special at all with package initialization, just
(require 'package) and then a couple of (add-to-list 'package-archives)
statements.
Am I missing anything?
Thanks,
Eric
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: no gnupg directory under elpa?
2014-05-27 4:16 no gnupg directory under elpa? Eric Abrahamsen
@ 2014-05-28 9:33 ` Thien-Thi Nguyen
2014-05-28 9:56 ` Eric Abrahamsen
0 siblings, 1 reply; 6+ messages in thread
From: Thien-Thi Nguyen @ 2014-05-28 9:33 UTC (permalink / raw)
To: help-gnu-emacs
[-- Attachment #1: Type: text/plain, Size: 958 bytes --]
() Eric Abrahamsen <eric@ericabrahamsen.net>
() Tue, 27 May 2014 12:16:07 +0800
Have I missed some step in package initialization, or is this just
because no one has provided signatures with their packages?
AFAICT (from "grep sig elpa/admin/*"), ELPA does not produce signatures.
I don't know if individual packages do so. (My contributions are not
signed because i wasn't even aware of this package.el aspect until now,
and there is no mention in the ELPA README.)
BTW, i agree that the red "unsigned" field is somewhat disconcerting!
just (require 'package) and then a couple of (add-to-list
'package-archives) statements.
What do you see for packages installed from archives other than ELPA?
--
Thien-Thi Nguyen
GPG key: 4C807502
(if you're human and you know it)
read my lisp: (responsep (questions 'technical)
(not (via 'mailing-list)))
=> nil
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: no gnupg directory under elpa?
2014-05-28 9:33 ` Thien-Thi Nguyen
@ 2014-05-28 9:56 ` Eric Abrahamsen
2014-05-28 11:35 ` Thien-Thi Nguyen
0 siblings, 1 reply; 6+ messages in thread
From: Eric Abrahamsen @ 2014-05-28 9:56 UTC (permalink / raw)
To: help-gnu-emacs
Thien-Thi Nguyen <ttn@gnu.org> writes:
> () Eric Abrahamsen <eric@ericabrahamsen.net>
> () Tue, 27 May 2014 12:16:07 +0800
>
> Have I missed some step in package initialization, or is this just
> because no one has provided signatures with their packages?
>
> AFAICT (from "grep sig elpa/admin/*"), ELPA does not produce signatures.
> I don't know if individual packages do so. (My contributions are not
> signed because i wasn't even aware of this package.el aspect until now,
> and there is no mention in the ELPA README.)
>
> BTW, i agree that the red "unsigned" field is somewhat disconcerting!
>
> just (require 'package) and then a couple of (add-to-list
> 'package-archives) statements.
>
> What do you see for packages installed from archives other than ELPA?
All installed packages are red and unsigned, and have *nothing* in their
archive column -- it's not just ELPA, it's also Melpa and Marmalade.
Hitting "?" on the package shows something like this:
multiple-cursors is an unsigned package.
Status: Installed in `~/.emacs.d/elpa/multiple-cursors-20140418.815/' (unsigned).
Archive: n/a
Version: 20140527.359
Summary: Multiple cursors for Emacs.
Other versions: 20140527.359 (melpa), 1.3.0 (marmalade).
All the packages are like this: Archive says n/a, but it's pretty
obvious that I'm using one of the "Other versions".
All the uninstalled ("available") packages have values in the Archive
column, and under the same header in the info page.
I wonder if I should just make a list of installed packages, hose the
whole thing, and start over...
E
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: no gnupg directory under elpa?
2014-05-28 9:56 ` Eric Abrahamsen
@ 2014-05-28 11:35 ` Thien-Thi Nguyen
2014-05-28 11:58 ` Stefan Monnier
0 siblings, 1 reply; 6+ messages in thread
From: Thien-Thi Nguyen @ 2014-05-28 11:35 UTC (permalink / raw)
To: help-gnu-emacs
[-- Attachment #1: Type: text/plain, Size: 1388 bytes --]
() Eric Abrahamsen <eric@ericabrahamsen.net>
() Wed, 28 May 2014 17:56:09 +0800
> What do you see for packages installed from archives other than ELPA?
All installed packages are red and unsigned, and have *nothing* in
their archive column -- it's not just ELPA, it's also Melpa and
Marmalade.
[details]
It sounds like the feature must still be implemented, everywhere. For
ELPA (i don't know about the others), this would entail an additional
stage for the release flow, at the least. It will not be enough for a
package to simply bump its version number; the ELPA admin needs to sign
either the package or the entire archive (IIUC package.el), as well.
I wonder if I should just make a list of installed packages, hose the
whole thing, and start over...
I did that (w/ only two packages from ELPA) and saw no change, and
suspect you won't, either. Hmm, i wonder where ELPA, Melpa, Marmalade,
etc. admins/hackers hang out to discuss design and interop. IRC? As
Emacs makes a nice root-kit platform, i hope security features for the
package system(s) are high priority for them... am i being realistic?
--
Thien-Thi Nguyen
GPG key: 4C807502
(if you're human and you know it)
read my lisp: (responsep (questions 'technical)
(not (via 'mailing-list)))
=> nil
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: no gnupg directory under elpa?
2014-05-28 11:35 ` Thien-Thi Nguyen
@ 2014-05-28 11:58 ` Stefan Monnier
2014-05-29 3:17 ` Eric Abrahamsen
0 siblings, 1 reply; 6+ messages in thread
From: Stefan Monnier @ 2014-05-28 11:58 UTC (permalink / raw)
To: help-gnu-emacs
> All installed packages are red and unsigned, and have *nothing* in
> their archive column -- it's not just ELPA, it's also Melpa and
> Marmalade.
Please M-x report-emacs-bug about it.
> It sounds like the feature must still be implemented, everywhere.
Indeed, IIUC the necessary sig-checking code was added to package.el but
the GNU ELPA scripts haven't yet been updated to generate those sigs.
> Emacs makes a nice root-kit platform, i hope security features for the
> package system(s) are high priority for them... am i being realistic?
Somewhat high, but not super high, no.
Stefan
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-05-29 3:17 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-27 4:16 no gnupg directory under elpa? Eric Abrahamsen
2014-05-28 9:33 ` Thien-Thi Nguyen
2014-05-28 9:56 ` Eric Abrahamsen
2014-05-28 11:35 ` Thien-Thi Nguyen
2014-05-28 11:58 ` Stefan Monnier
2014-05-29 3:17 ` Eric Abrahamsen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).