From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Mike Gerwitz <mtg@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: [ANNOUNCE] Emacs 25.3 released
Date: Wed, 13 Sep 2017 11:12:49 -0400
Message-ID: <87bmmetyxa.fsf@gnu.org>
References: <87wp55t0un.fsf@petton.fr> <mvmshfs9u9w.fsf@suse.de>
	<87r2vctasb.fsf@petton.fr> <mvma8209llj.fsf@suse.de>
	<CAEtmmeykKZ+F4A90j_GsCTK5sJpjhUwN3VMwz9-fxXLQOCSycw@mail.gmail.com>
	<87mv60t6sk.fsf@petton.fr> <mvmzia083xn.fsf@suse.de>
	<837ex4q6uy.fsf@gnu.org> <mvmmv5zay7j.fsf@suse.de>
	<B481B525-D69B-41A3-83D6-A0D916EA1526@gnu.org>
	<mvm4ls7atq0.fsf@suse.de>
	<98D64EB8-736A-4B62-B899-FCB8B94FBEB1@gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
X-Trace: blaine.gmane.org 1505315655 25690 195.159.176.226 (13 Sep 2017 15:14:15 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Wed, 13 Sep 2017 15:14:15 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
Cc: Andreas Schwab <schwab@suse.de>, nicolas@petton.fr,
	rostislav.svoboda@gmail.com, emacs-devel@gnu.org
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Sep 13 17:14:10 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1ds9Mg-0006ZV-CX
	for ged-emacs-devel@m.gmane.org; Wed, 13 Sep 2017 17:14:10 +0200
Original-Received: from localhost ([::1]:43022 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1ds9Mn-0005ud-Ne
	for ged-emacs-devel@m.gmane.org; Wed, 13 Sep 2017 11:14:17 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:55845)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <mtg@gnu.org>)
	id 1ds9Me-0005rq-L2
	for emacs-devel@gnu.org; Wed, 13 Sep 2017 11:14:09 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mtg@gnu.org>) id 1ds9Md-0006fX-Nh
	for emacs-devel@gnu.org; Wed, 13 Sep 2017 11:14:08 -0400
Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:47610)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <mtg@gnu.org>)
	id 1ds9MT-0006T9-MD; Wed, 13 Sep 2017 11:13:57 -0400
Original-Received: from localhost ([::1]:49324 helo=mikegerwitz-pc.gerwitz.local)
	by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.82) (envelope-from <mtg@gnu.org>)
	id 1ds9MT-0003uB-6I; Wed, 13 Sep 2017 11:13:57 -0400
In-Reply-To: <98D64EB8-736A-4B62-B899-FCB8B94FBEB1@gnu.org> (Eli Zaretskii's
	message of "Wed, 13 Sep 2017 11:42:05 +0300")
OpenPGP: id=22175B02E626BC98D7C0C2E5F22BB8158EE30EAB
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:218191
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/218191>

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Wed, Sep 13, 2017 at 11:42:05 +0300, Eli Zaretskii wrote:
> The full source is in the tarball, and the change was posted in advance.
> How can a Git branch increase the trust is beyond me.
>
> This certainly smells of NIH etc.

Also, the tarball was uploaded to ftp.gnu.org, and signed.  Uploading to
ftp.gnu.org itself requires the request to be signed with a GPG key
registered on Savannah.[0]  This level of security is greater and more
formal than repository commits/tags.

If someone's system were compromised to the point of being able to
successfully upload to ftp.gnu.org, chances are that they'll be able to
forge a commit to the repository as well.

[0]: https://www.gnu.org/prep/maintain/maintain.html#Distribution-on-ftp_00=
2egnu_002eorg

=2D-=20
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJZuUrxAAoJEIyRe39dxRuiMJEP/193Uo0I4vCRKHnfYiWtSqnS
4ZShlt1lZEujGSBsemi8unE1Q03stJoyxbWB8E9+GZ3Sy49FKTFT/6GOCLuekHPx
EuyA1zaIxkSZjCzgF+4U4SADbvz7eoq/vZKVsycRDbiF64M1swYnsAB7NK6V9PA+
4JzAik3olJgoT9GgQnr00IwC5TIay8+K/3g9kcg0927UUd1yfYpvQY4NszXas0h7
Kn57KBTSJ8tkW4tOCZOn1udlL8OTLwse9frKEgQwa0KTlzXDgk4kC/qkGtKuoYLz
BUUFA8C5+r1tuhLfQv/YwtlcWgw7KBEhDmATyIRXpjjsriKLj6oX+K9bwg0HabIq
JPdPvNDeIAL4UX2GMXRlh+ICRpIXnNmlUnlSr33dcqCWyiG6o5FxpLLP+cRHTMUI
yJDU2jQZtivw9phebQz5bmPOURFBjuLopGUzOQb8xxCTJZCu0IguQYTcfeC3h0QA
EGjsip9E+xcsv1Pl67OjApouz5S/YnUNZdkoaD5FPMd7I6iTJFFPFx9EZBcH72nG
HsZEi0WSM/L01LUgeRDFAvD1wETqJZMu8Jg9AmjSc4MeFtf4wqX8QXlMvm0nlpsH
uuvqXiO4JZG6+F404/uLs8CQa9AQx5aoldaFGaUzKHGkgugXP0B05xR+fFnN7taT
1UEDtarh4lz1iq44uv3Z
=3aNw
-----END PGP SIGNATURE-----
--=-=-=--