From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#66369: Change package-check-signature default to t Date: Fri, 6 Oct 2023 09:32:34 +0000 Message-ID: References: <83edqnyz00.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="3831"; mail-complaints-to="usenet@ciao.gmane.io" To: 66369@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri Oct 06 11:34:14 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qohDp-0000jb-Uc for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 06 Oct 2023 11:34:13 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qohDN-0006Pg-Bs; Fri, 06 Oct 2023 05:33:45 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qohDM-0006Ny-A0 for bug-gnu-emacs@gnu.org; Fri, 06 Oct 2023 05:33:44 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qohDM-0007PO-0r for bug-gnu-emacs@gnu.org; Fri, 06 Oct 2023 05:33:44 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qohDe-0000Og-2H for bug-gnu-emacs@gnu.org; Fri, 06 Oct 2023 05:34:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 06 Oct 2023 09:34:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 66369 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.16965847901452 (code B ref -1); Fri, 06 Oct 2023 09:34:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 6 Oct 2023 09:33:10 +0000 Original-Received: from localhost ([127.0.0.1]:49128 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qohCn-0000NM-Qd for submit@debbugs.gnu.org; Fri, 06 Oct 2023 05:33:10 -0400 Original-Received: from lists.gnu.org ([2001:470:142::17]:58590) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qohCk-0000Mj-41 for submit@debbugs.gnu.org; Fri, 06 Oct 2023 05:33:09 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qohCK-00063M-V3 for bug-gnu-emacs@gnu.org; Fri, 06 Oct 2023 05:32:40 -0400 Original-Received: from mail-lf1-x12e.google.com ([2a00:1450:4864:20::12e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qohCH-0007Ar-9i for bug-gnu-emacs@gnu.org; Fri, 06 Oct 2023 05:32:40 -0400 Original-Received: by mail-lf1-x12e.google.com with SMTP id 2adb3069b0e04-50585357903so2531514e87.2 for ; Fri, 06 Oct 2023 02:32:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696584755; x=1697189555; darn=gnu.org; h=to:subject:message-id:date:mime-version:references:from:from:to:cc :subject:date:message-id:reply-to; bh=bFfIIg2xxxeRHUaOjzQZVzewNxsyE26D1OkCfSgQ1do=; b=NYaGLVpYH5QF5IsqJyGdTq32WXdjoox6VQPc9PktJCoKpD9E009JSurkQm1adc1WHW Sgyixu5x4OTyUp18YKJBHOfzKAulLPU1UXHOSploa7b1/4zUJ+etv6mhwWiI9vflTBrb GjVOlXsSyZqeQZVR0fZjFKjaaCXhUKjCP7axhcKe8GKs6C7E5DV0Ke0Frgzk3uclTLCa 2fL/GngFYhKdCmomoaA7qIMID7vbWPw//PUF9nu3eQvz8vSuQ/qkpKqX+bbyeyWxvlUP G3t2RYcCjr3bbNnwQ567+Lo9YuBHNhR8z37VgoLNzhl8sc28Quwf313gg4ROsTk+Q+2y hBMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696584755; x=1697189555; h=to:subject:message-id:date:mime-version:references:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=bFfIIg2xxxeRHUaOjzQZVzewNxsyE26D1OkCfSgQ1do=; b=cqFIVT8evWGTSn5cO5OTaHavErDsdWkA5BXbqMJ+LCDZQ18HUjCRD5uCokRkq8i3K3 +yRQHIe7clJeV6mLfKrXDel9puNks2rALxGT28xojWcvosSvo9+YTWcYSLB4fbWD9Fdb 5KCL3ees+6KmhVnTFFL7TcShSvv9XoU9U7rIiNujUwgsCZLcJFlFKq5SupHYbSCdFhWh ROC7+fdtYHSE1qAAlwwegdOg8lRGJYOVABItgwzZB7S556b0yx09xmnFmow5+6++ICRn 2GG3V5jI57kAe4+UCHxoBMdHCuGSOXEGvruOXnNX6d6py3FxkbjuHzJGVq2dyr5K2NvN 6jPQ== X-Gm-Message-State: AOJu0YwLZ6yDErmEODIC4tRpZ58N+edbO1eP5MdYHslu4TfdVsNeem9z nHi4aQ0bmMhcElxO2//62g2Kve0v5vYbCBlnfsKQueyT X-Google-Smtp-Source: AGHT+IGDUAat3drCfU+ze5fzJzQn5hWiu9UEZ5cQVVGLHk3PD5tbtibCKrLxI6U0Tq00oZAxzTEAh+y02Rtm1EbERkA= X-Received: by 2002:a05:6512:318a:b0:503:1bb0:a658 with SMTP id i10-20020a056512318a00b005031bb0a658mr7443951lfe.32.1696584754538; Fri, 06 Oct 2023 02:32:34 -0700 (PDT) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Fri, 6 Oct 2023 09:32:34 +0000 Received-SPF: pass client-ip=2a00:1450:4864:20::12e; envelope-from=stefankangas@gmail.com; helo=mail-lf1-x12e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:271936 Archived-At: Severity: wishlist I propose to change the default of `package-check-signature' to t when gpg is available. Previous discussion here: https://lists.gnu.org/r/emacs-devel/2023-02/msg00680.html The current default is `allow-unsigned', which is about as useful for security purposes as if it was nil. But if the default is t, users will be forced to have OpenPGP installed. In the above discussion, Eli suggested: > We could also display a warning, once, when we detect that OpenPGP is > not available and set the value to allow-unsigned. This way the user > is alerted to the problem and can take action to fix it. I'd add that we could also prompt in this situation, perhaps something along the lines of: "No working PGP installation detected; install package(s) without verifying signature (unsafe)? (y/n)"