Re: Urgent matter with GNU ELPA keys

all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: phillip.lord@russet.org.uk (Phillip Lord)
To: Stefan Monnier <monnier@iro.umontreal.ca>
Cc: emacs-devel@gnu.org
Subject: Re: Urgent matter with GNU ELPA keys
Date: Mon, 11 Feb 2019 22:19:29 +0000	[thread overview]
Message-ID: <877ee6klxq.fsf@russet.org.uk> (raw)
In-Reply-To: <jwv5ztqs99r.fsf-monnier+emacs@gnu.org> (Stefan Monnier's message of "Mon, 11 Feb 2019 09:17:32 -0500")

Stefan Monnier <monnier@iro.umontreal.ca> writes:

> I just saw that the GNU ELPA signing key that we distribute with Emacs
> (stored in etc/package-keyring.gpg) will expire in September.
>
> It's easy to change elpa.gnu.org to sign with a new key, but the hard
> part that we need to take care of ASAP is to figure out how we're going
> to let users of already-distributed Emacsen access GNU ELPA when that
> new key is used.
>
> My GPG-fu is rather weak, so I need help,

Write a package called "package-keys.el" which includes the new
key. Sign it with the existing key distributed with Emacs.

Of course, this will have what you might call a reverse bootstrap
problem -- users will need to install package-keys.el before they key
runs out, but they won't know that they need to do this till the key
runs out. After this, Emacs will refuse to install the package that it
needs to allow the installation. Only solution I can see here would be
to put some code that people can eval in *scratch* that bypasses the key
signing thing.

Long term solution would be an auto-updating and installing version of
package-keys.el and maybe package.el. This would have practical problems
(because ELPA doesn't support multiple versions of packages). I expect
Richard would object also.

Phil

     prev parent reply	other threads:[~2019-02-11 22:19 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-11 14:17 Urgent matter with GNU ELPA keys Stefan Monnier
2019-02-11 15:27 ` Andreas Schwab
2019-02-11 15:52   ` Amin Bandali
2019-02-11 22:19 ` Phillip Lord [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=877ee6klxq.fsf@russet.org.uk \
    --to=phillip.lord@russet.org.uk \
    --cc=emacs-devel@gnu.org \
    --cc=monnier@iro.umontreal.ca \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.