From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: =?utf-8?Q?Bj=C3=B6rn?= Bidar <bjorn.bidar@thaodan.de>
Newsgroups: gmane.emacs.help
Subject: Re: is melpa just unsigned?
Date: Mon, 29 May 2023 16:12:05 +0300
Message-ID: <87ilcbb7tm.fsf@thaodan.de>
References: <CAJcAo8u5LWaLsgMNM-gPuhmRGTD+GYs3-=N-J0WypO5kbjqYiA@mail.gmail.com>
 <87sfbtkx1o.fsf@web.de> <871qjaeslh.fsf@dataswamp.org>
 <87o7mdxnn9.fsf@web.de>
 <CAJcAo8tC-k6XcxiKUvWPCFox5Oo-b-Byg=ythzWVC6e94Xwi8A@mail.gmail.com>
 <m2jzwz2b3u.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="1447"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cc: help-gnu-emacs@gnu.org
To: Daniel Fleischer <danflscr@gmail.com>
Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Mon May 29 15:12:44 2023
Return-path: <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1q3cfz-00009y-RD
	for geh-help-gnu-emacs@m.gmane-mx.org; Mon, 29 May 2023 15:12:43 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-gnu-emacs-bounces@gnu.org>)
	id 1q3cfW-0000Mm-AZ; Mon, 29 May 2023 09:12:14 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bjorn.bidar@thaodan.de>)
 id 1q3cfU-0000M2-FB
 for help-gnu-emacs@gnu.org; Mon, 29 May 2023 09:12:12 -0400
Original-Received: from thaodan.de ([2a03:4000:4f:f15::1])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bjorn.bidar@thaodan.de>)
 id 1q3cfS-0004zD-G6
 for help-gnu-emacs@gnu.org; Mon, 29 May 2023 09:12:12 -0400
Original-Received: from odin (unknown [IPv6:2001:2062:2301:f400:72a:be51:2c32:1a06])
 by thaodan.de (Postfix) with ESMTPSA id 95EECD04527;
 Mon, 29 May 2023 16:12:06 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=thaodan.de; s=mail;
 t=1685365926; bh=unS4yXF4nyaLckuqCOK/kE791WoTMPe3NaEVn1m4kXk=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date;
 b=knc/l+aLZpgimRsZHEXQv1bziQhd/MhwjKPtRNVaPJjMCy23areVMOOWmWnGUvfmv
 Le/37ZZg13iUbRVwRDQ5p2mxCgZXauPptLausP3SzV4oPTEXPWX0/cu5T9YpLDYBlZ
 Es2cQ+uMDctU9U5HAMxdjXzEy1ThUeTRFRUk/KL/YcdklFQA3dhXXg5yw25bLKfuFU
 WUsAx7eozBV9YRwoFguhVXqFZQKXWbLYu0rl54Tv+e4gSAdDUY+EbTaYxkxGdwzR2h
 0zVe/a+G0d459QmK3iF2M6RDttecYjDzkcToPRCTbMnK5PD76KqM/46OrCJu7hPbGi
 81X0naDU8W6LmAAVFcUhXxir787XcB07sKztCNmDmX0qYrD6pF2byu1oUfSFmn177z
 UhmzUmyvsQmG7yFxH0CfqEhNCC7C+kv14RB1v03GH+wuA9TMXfxM3SFuyliXb8U/UP
 VJI6DoXySek8q1Up9GIx5z3YuQLbnO1qqNBfbg19Q5h3uidPWV/EQmShJc61FeevUV
 XinqwU2IY/REIRheJmEdZGNvqpWBCchyMuyEc6c6o8XhEKy52SYMQopRPrb0vuqbtK
 XHsin0ES8w31uPZ60BH/4AvM6tL4BItqfsgQxxc/ZvjLkvyUgiyoKBCgaQ3mYGWq6b
 c/7l9aWJLiaWFwuqDesC/akQ=
In-Reply-To: <m2jzwz2b3u.fsf@gmail.com> (Daniel Fleischer's message of "Tue,
 23 May 2023 20:47:49 +0300")
Received-SPF: pass client-ip=2a03:4000:4f:f15::1;
 envelope-from=bjorn.bidar@thaodan.de; helo=thaodan.de
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: help-gnu-emacs@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Users list for the GNU Emacs text editor <help-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-gnu-emacs>,
 <mailto:help-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-gnu-emacs>
List-Post: <mailto:help-gnu-emacs@gnu.org>
List-Help: <mailto:help-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-gnu-emacs>,
 <mailto:help-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.help:143786
Archived-At: <http://permalink.gmane.org/gmane.emacs.help/143786>

Daniel Fleischer <danflscr@gmail.com> writes:

> Samuel Wales [2023-05-22 Mon 19:53] wrote:
>
>> of course i am aware signing is only part of ensuring security,
>> and melpa does curating, and authors or computers could turn evil, but
>> where there is a chain that reliably goes back to an author from the
>> code you dled, it's a pretty good feeling.
>
> Not a security expert but signing helps with downloading files from
> questionable hosting (usually you download the signature from the same
> website, thus you solve nothing). You can skip the middleman melpa.org
> and install packages directly from their respective forges, e.g. github,
> gitlab, sourcehut using either something like quelpa or built-in
> package-vc-install.

Another alternative is borg + magit + epkg.

The workflow makes it quite easy to contribute and test changes in
packages.