From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.devel Subject: Re: Proposal to include obligatory PGP verification of packages from any repository Date: Tue, 20 Oct 2020 00:02:05 +0300 Message-ID: <20201019210205.GT19325@protected.rcdrun.com> References: <10bdf4ea-e365-cc3d-ec03-4348946fadbe@yandex.ru> <20201019124335.GC19325@protected.rcdrun.com> <20201019163827.GG19325@protected.rcdrun.com> <20201019174745.GJ19325@protected.rcdrun.com> <20201019190452.GO19325@protected.rcdrun.com> Reply-To: OppEnc Modus Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="21255"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/1.10.1 (2018-07-13) Cc: "Philip K." , rms@gnu.org, thibaut.verron@gmail.com, mve1@runbox.com, emacs-devel@gnu.org, Stefan Kangas , Dmitry Gutov To: Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Oct 19 23:03:19 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kUcJL-0005QN-1G for ged-emacs-devel@m.gmane-mx.org; Mon, 19 Oct 2020 23:03:19 +0200 Original-Received: from localhost ([::1]:38414 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kUcJK-0007UW-1H for ged-emacs-devel@m.gmane-mx.org; Mon, 19 Oct 2020 17:03:18 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:39364) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kUcIN-00074d-1m for emacs-devel@gnu.org; Mon, 19 Oct 2020 17:02:19 -0400 Original-Received: from static.rcdrun.com ([95.85.24.50]:47501) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kUcIJ-0007tf-Oz; Mon, 19 Oct 2020 17:02:18 -0400 Original-Received: from localhost ([::ffff:41.202.241.51]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002A0B42.000000005F8DFED4.00002A89; Mon, 19 Oct 2020 21:02:11 +0000 Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/19 12:25:27 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:258150 Archived-At: * Stefan Monnier [2020-10-19 23:23]: > > I would rather expect message shown, just as it is not shown for > > unsigned packages. > > `package.el` should emit a message when installing a package without any > signature, since that's the odd and undesirable case. I find it > perfectly normal not to say anything when the signature check succeeded. > > > Regarding packages in GNU ELPA, can I now assume they are all signed? > > Of course. It's been that way since Emacs-24.4, IIRC. > > > Is there a policy that GNU ELPA packages should be signed? > > Not sure what that would mean: *we* sign it, so there's no policy to > enforce. At most there are bugs to fix if the sigs are missing > or incorrect. It would be good to implement the policy. > > What I expect is a method for user to easily verify and know by which > > key was which package signed, such function should exist. > > What does Debian do in this respect? There are ways to verify package authenticity, so it is automated and there is way to verify it package by package, I am on Hyperbola GNU/Linux-libre, derivative of Archlinux, there is way to use pacman package manager to verify authenticity. Vasilij pointed out how it should be done. Verifications in Debian or Archlinux how I see it, happen in real time during installation and that is by default. > > I also expect that such verification should be by default, but default > > was to accept unsigned, which is security issue in Emacs. > > 2 reasons: > - the sig-checking code (i.e. PGP) might not be installed and we did > not want to add it as a prerequisite. You know it better, maybe gnutls can be used as it is how I see it, part of GNU Emacs here, but may not be part on every OS, I do not know. It has OpenPGP API: https://www.gnutls.org/manual/html_node/OpenPGP-API.html So instead of using external gpg program, maybe you as developers could use gnutls library and that API to create signatures for packages in case that PGP/GnuPG cannot work. > - the signature system was introduced relatively shortly before it was > deployed for Emacs-24.4, so we did not want to break it for the other > ELPA archives. I understand and I find it unfortunate, and still suggest that it becomes enabled now, and not years there after. > Regarding the second point, AFAICT Melpa still doesn't sign its > packages, so its users presumably rely on `https` as their only line > of defense. One of the main reasons might be that there is/was no easy > way to add other trusted keys to Emacs's keyring (tho the > `gnu-elpa-keyring-update` shows it can be done) so even if they signed > their packages their users would have to take some extra step to add > their key to the trusted keys. And that is in best interest of users. I think that it sounds tedious, yet it is in best interest to users.