From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: [PATCH] package.el: check tarball signature Date: Mon, 30 Sep 2013 17:54:41 -0400 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <874n92x9em.fsf@flea.lifelogs.com> References: Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1380578097 2543 80.91.229.3 (30 Sep 2013 21:54:57 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 30 Sep 2013 21:54:57 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Sep 30 23:55:01 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VQlQi-0003Cv-OT for ged-emacs-devel@m.gmane.org; Mon, 30 Sep 2013 23:55:00 +0200 Original-Received: from localhost ([::1]:51797 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQlQi-00076a-Cz for ged-emacs-devel@m.gmane.org; Mon, 30 Sep 2013 17:55:00 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43463) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQlQa-00075Y-L3 for emacs-devel@gnu.org; Mon, 30 Sep 2013 17:54:57 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VQlQV-0001xW-5N for emacs-devel@gnu.org; Mon, 30 Sep 2013 17:54:52 -0400 Original-Received: from plane.gmane.org ([80.91.229.3]:36042) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQlQU-0001xO-Uc for emacs-devel@gnu.org; Mon, 30 Sep 2013 17:54:47 -0400 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VQlQT-0002zx-NA for emacs-devel@gnu.org; Mon, 30 Sep 2013 23:54:45 +0200 Original-Received: from c-98-229-61-72.hsd1.ma.comcast.net ([98.229.61.72]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 30 Sep 2013 23:54:45 +0200 Original-Received: from tzz by c-98-229-61-72.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 30 Sep 2013 23:54:45 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 46 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-98-229-61-72.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:64TIC3ro1fE6/YCfAc03nibnwAg= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:163747 Archived-At: On Mon, 30 Sep 2013 15:48:16 -0400 Daiki Ueno wrote: DU> Well, I still don't understand why this is advertised as such a DU> difficult problem, particularly why package.el would need sign operation DU> with Emacs. Am I missing something? Yes, I think so. Checking package signatures in general was mostly resolved back in June 2013, I simply didn't have time to work on it until just now. When I wanted to play with it over the weekend, the GnuPG 2.0.20 behavior annoyed me enough that I complained about it and am planning to expose the libnettle functions ASAP so we don't have to depend on GnuPG. The difficult part has been specifying the desired behavior, not implementing it. Perhaps you can look at http://thread.gmane.org/gmane.emacs.devel/155400/focus=160631 and look at my patch there and the surrounding discussion for background. Stefan participated and advised me on most of the desired features. DU> Perhaps it might make sense to discuss with some code. Here it is. DU> The code verifies a detached signature NAME-VERSION.tar.sig with a DU> trusted keyring located under ~/.emacs.d/elpa/gnupg/. That's it. The signed/unsigned status needs to be shown in the package listing. Some archives are signed, some aren't. Any file from an archive, not just a package tarball, should be signed (especially the package index). The management of the special gnupg keychain needs to be abstracted. Signatures should be generated from inside Emacs. In addition I started on the EPG interaction you've finished, so you can probably start with my patch and fix the EPG-related pieces and any other issues instead of writing your own. DU> For uploading packages, we could simply use the same mechanism as DU> gnupload in Gnulib. DU> It's actually a 10-minute work at an airport lobby and tested only with DU> the local package archive. Your help is very welcome. Ted