Re: is melpa just unsigned?

[Platon Pronko <platon7pronko@gmail.com>]

On 2023-05-23 09:53, Samuel Wales wrote:
> just brainstorming but if by chance melpa is not signed, i wonder if
> there are package managers that kind of kludge security a bit.  not
> perfection, but try to dtrt.  enhancing melpa or bypassing it.
> 
> for example, idk the current status of git's sha-1 [?] crypto
> brokenness, but packages that use git could perhaps have their shas
> compared via multiple routes, or so.  maybe only google-level actors
> could currently break sha-1 for all i know.
> 
> at least you could check that the sha you have is the same lots of
> other users have?
> 
> are guix or nix debian-like in their signing infrastructure?  i am
> just thinking out loud here for possible solutions for more security.
> comparing multiple routes, using git's history, or a  clever trick i
> am not thinking of now.  does el-get do?
> 
> of course i am aware signing is only part of ensuring security,
> and melpa does curating, and authors or computers could turn evil, but
> where there is a chain that reliably goes back to an author from the
> code you dled, it's a pretty good feeling. 

The whole point of MELPA is to automatically provide up-to date packages built directly from upstream repos - the default MELPA repository builds a new release on each new commit (alternatively there's MELPA Stable, which creates new relases from new tags).

The key idea here is "automatically". So I don't see any way for these packages to be signed, since the package authors obviously won't be giving their keys to MELPA.

I suppose if you are looking for signed packages your best bet is GNU ELPA - some of the packages there are indeed signed.

P.S. As far as I know Emacs mailing lists prefer bottom-posting (as opposed to top-posting).

-- 
Best regards,
Platon Pronko
PGP 2A62D77A7A2CB94E