Re: [PATCH] package.el: check tarball signature

all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: Daiki Ueno <ueno@gnu.org>
To: emacs-devel@gnu.org
Subject: Re: [PATCH] package.el: check tarball signature
Date: Wed, 02 Oct 2013 16:16:04 +0900	[thread overview]
Message-ID: <87fvsk9m8b.fsf-ueno@gnu.org> (raw)
In-Reply-To: <874n92x9em.fsf@flea.lifelogs.com> (Ted Zlatanov's message of "Mon, 30 Sep 2013 17:54:41 -0400")

Ted Zlatanov <tzz@lifelogs.com> writes:

> Perhaps you can look at
> http://thread.gmane.org/gmane.emacs.devel/155400/focus=160631 and look
> at my patch there and the surrounding discussion for background.  Stefan
> participated and advised me on most of the desired features.
>
> DU> Perhaps it might make sense to discuss with some code.  Here it is.
>
> DU> The code verifies a detached signature NAME-VERSION.tar.sig with a
> DU> trusted keyring located under ~/.emacs.d/elpa/gnupg/.  That's it.
>
> The signed/unsigned status needs to be shown in the package listing.
> Some archives are signed, some aren't.  Any file from an archive, not
> just a package tarball, should be signed (especially the package index).

Done in my latest patch.

> The management of the special gnupg keychain needs to be abstracted.
> Signatures should be generated from inside Emacs.

I've read the discussion and patches, but it's still unclear to me.
Your latest(?) patch (package-archive-signed-3.patch) has
package--create-detached-signature, but nobody calls it.  For what
purpose would you need signature generation?

Perhaps you wanted to sign locally to toggle "unsigned" status to
"signed" status?  Then why it's not sufficient to just mark the package
as "unsigned" and ask package creaters to sign and upload?

Or, perhaps you wanted to develop a user interface to upload tarballs
with signature?  Then it should be go into package-x.el instead of
package.el, I suppose.

Anyway, I'm a bit surprised that there are few researches of existing
packaging systems which already utilize GPG signature, such as Debian
and Fedora.  AFAIK, those systems do not require signing operation in
their installer UI.

> In addition I started on the EPG interaction you've finished, so you can
> probably start with my patch and fix the EPG-related pieces and any
> other issues instead of writing your own.

I'm sorry, I couldn't find anything I can reuse in your patch.  It even
succeeds signature verification when GPG reports bad signatures.  Also,
why did you choose ".gpgsig" extension rather than ".sig", which has
already been used on ftp.gnu.org for a decade?  And I think it's too
much to modify package--with-work-buffer to check signatures of all
files downloaded.

Regards,
-- 
Daiki Ueno

next prev parent reply	other threads:[~2013-10-02  7:16 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-30 19:48 [PATCH] package.el: check tarball signature Daiki Ueno
2013-09-30 19:58 ` Eli Zaretskii
2013-10-02  6:20   ` [PATCHv2] " Daiki Ueno
2013-10-02 10:43     ` Ted Zlatanov
2013-09-30 21:54 ` [PATCH] " Ted Zlatanov
2013-09-30 22:56   ` Stefan Monnier
2013-10-02 11:17     ` Ted Zlatanov
2013-10-02  7:16   ` Daiki Ueno [this message]
2013-10-02 10:41     ` Ted Zlatanov
2013-10-02 12:22       ` Daiki Ueno
2013-10-02 13:53         ` Ted Zlatanov
2013-10-03  3:51           ` Stefan Monnier
2013-10-02 13:15     ` Thien-Thi Nguyen
2013-10-03  3:45       ` Stefan Monnier
2013-10-03  3:52     ` Stefan Monnier
2013-10-03  7:18       ` Daiki Ueno
2013-10-03 14:19         ` Ted Zlatanov
2013-10-03 15:01           ` Stefan Monnier
2013-10-04 19:23             ` Eli Zaretskii
2013-10-04 21:14               ` Ted Zlatanov
2013-10-05  0:34                 ` Daiki Ueno
2013-10-05  5:40                   ` Stephen J. Turnbull
2013-10-05 10:03                     ` Ted Zlatanov
2013-10-05 15:07                       ` Stephen J. Turnbull
2013-10-05 21:51                         ` Ted Zlatanov
2013-10-05  9:57                   ` Ted Zlatanov
2013-10-05  7:09                 ` Eli Zaretskii
2013-10-05 10:11                   ` Ted Zlatanov
2013-10-05 12:37                     ` Eli Zaretskii
2013-10-05 13:53                       ` Stefan Monnier
2013-10-04  2:46           ` Daiki Ueno
2013-10-04 16:19             ` Ted Zlatanov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87fvsk9m8b.fsf-ueno@gnu.org \
    --to=ueno@gnu.org \
    --cc=emacs-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.