Re: [PATCH] package.el: check tarball signature

[Ted Zlatanov <tzz@lifelogs.com>]

On Wed, 02 Oct 2013 21:22:53 +0900 Daiki Ueno <ueno@gnu.org> wrote: 

DU> Ted Zlatanov <tzz@lifelogs.com> writes:
DU> For what purpose would you need signature generation?
>> 
>> So the maintainer can create a signature from Emacs instead of
>> externally.  The signer is intended to be a maintainer after review, not
>> a package creator.

DU> I'm fine with signing with dput for Debian and gnupload for GNU, who
DU> else of you really wants that feature.  Reference?

I want it.

If we move to a branch-pull request-merge model, this will be much less
important since the signing will happen at the time of the merge on the
server; the reviewer never needs to manually sign anything.  But at
least for now we need interactive tools to automate that process and
gnupload would certainly fill that need.  So please don't dwell on this.

>> It's something you would run on the ELPA server, not at upload time.

DU> I'd rather use other scripting language to do such a batch job.

OK, I think there's room for both views.  Let's assume I will implement
it if I need it, and it shouldn't stop you.  Note I didn't mention it in
my "wishlist" for your v2 patch, so I don't consider it essential like
per-archive signing.

>> package.el is not just an installer UI, it's a full package manager.

DU> Why the uploading part is separated into package-x.el then?

Good point, I think you're right.  Thanks for the digging.  If I add
signing from Emacs I'll put it in package-x.el.

DU> I'm sorry, I couldn't find anything I can reuse in your patch.  It even
DU> succeeds signature verification when GPG reports bad signatures.
>> 
>> That's one of the EPG-related pieces I mentioned need fixing.  But at
>> this point your v2 patch has done the work so there's no point in arguing.

DU> Thanks for understanding.  I should have been involved in this earlier.
DU> What I'm really surprised is no progress on this for almost one
DU> year.

Yes, I know.  I was part of the problem: extremely busy with work and
"almost done" all the time.  Let's make an effort together and get it
done now.  I think it's an important part of Emacs' future.

DU> Also, why did you choose ".gpgsig" extension rather than ".sig",
DU> which has already been used on ftp.gnu.org for a decade?
>> 
>> I think the extension name is not that important, but here specifically
>> I wanted to indicate it's generated by GPG.  .sig will obviously work
>> exactly the same way.

DU> It's important, if we would like to use common tools like gnupload too.

OK with me, please consider me in favor of .sig.

Ted