From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Kangas <stefankangas@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#66414: GNU ELPA: Require signed tags to release new package
 versions
Date: Mon, 9 Oct 2023 07:15:47 +0000
Message-ID: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="30520"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: monnier@iro.umontreal.ca, philipk@posteo.net, yantar92@posteo.net
To: 66414@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Oct 09 09:17:07 2023
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1qpkVm-0007iY-O6
	for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 09 Oct 2023 09:17:06 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1qpkVU-0007mU-81; Mon, 09 Oct 2023 03:16:48 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qpkVP-0007kS-Vg
 for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 03:16:45 -0400
Original-Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qpkVP-0003HQ-Nm
 for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 03:16:43 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qpkVi-0002Q6-Lg; Mon, 09 Oct 2023 03:17:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Stefan Kangas <stefankangas@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: monnier@iro.umontreal.ca, philipk@posteo.net, yantar92@posteo.net,
 bug-gnu-emacs@gnu.org
Resent-Date: Mon, 09 Oct 2023 07:17:02 +0000
Resent-Message-ID: <handler.66414.B.16968357859251@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 66414
X-GNU-PR-Package: emacs
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
X-Debbugs-Original-Xcc: monnier@iro.umontreal.ca, philipk@posteo.net,
 yantar92@posteo.net
Original-Received: via spool by submit@debbugs.gnu.org id=B.16968357859251
 (code B ref -1); Mon, 09 Oct 2023 07:17:02 +0000
Original-Received: (at submit) by debbugs.gnu.org; 9 Oct 2023 07:16:25 +0000
Original-Received: from localhost ([127.0.0.1]:59098 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1qpkV7-0002P9-12
 for submit@debbugs.gnu.org; Mon, 09 Oct 2023 03:16:25 -0400
Original-Received: from lists.gnu.org ([2001:470:142::17]:50738)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@gmail.com>) id 1qpkV5-0002Of-Lq
 for submit@debbugs.gnu.org; Mon, 09 Oct 2023 03:16:24 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <stefankangas@gmail.com>)
 id 1qpkUc-0007UB-ED
 for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 03:15:56 -0400
Original-Received: from mail-lf1-x134.google.com ([2a00:1450:4864:20::134])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <stefankangas@gmail.com>)
 id 1qpkUY-0003Bx-2K
 for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 03:15:52 -0400
Original-Received: by mail-lf1-x134.google.com with SMTP id
 2adb3069b0e04-50585357903so5502701e87.2
 for <bug-gnu-emacs@gnu.org>; Mon, 09 Oct 2023 00:15:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696835748; x=1697440548; darn=gnu.org;
 h=to:subject:message-id:date:mime-version:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=w+AI7FVCAzqaPxR1I6O0GDlT+eny6jEEnRuQnoo9lKk=;
 b=Kc+zqp9SxoEvp2qzSmOpGs4fgHs3ZUCnzBWlBFIaCSpxxG/zSNyplNqj020b1lBu0f
 lMH/sUTfdbq+jKs2CzJFOfcq/qWsl3Ltyp/Z/cszmiQmDIaLiuPokQVFgknkNCmJ44eu
 xlJFpJKLzVmY2a90QsW0pWZN0cmYMK+JHhReQ91N2uM+wb+j/gzYlNhTKGI7EIgBEqiN
 K6bNx7OI7ws+czhlJYJA2RWOzH+rlC1ZYkDv+vR8dWka+bcVCgg5oiTycgGb8J9mro/1
 /QAi5FIFYO6Yt/Z8ycNHTy2V9gTy0jiFM7IEKklUuCkukar7Rz4ARggf6UezggaMj/Ou
 ykkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696835748; x=1697440548;
 h=to:subject:message-id:date:mime-version:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=w+AI7FVCAzqaPxR1I6O0GDlT+eny6jEEnRuQnoo9lKk=;
 b=EYeRmgNJ7gZs4EH2pQX6KVXXfUpnvboeI0UM4RT5tvBxRRMyOxdQrdAj+lM14ZqyrC
 XZ7bX7YW+XOXeaUgCewASQBBBB529+V+D+L1fd2cq6m0iH3XYKaSlHW9xvULiz3Ib72b
 +2Zw0R4IGIK/3JlYZVUIvHTSxi8djLHolfXHv38Vs0AFDm+R/+ts8UsyAqnIgYoCM4Cr
 2Zwvq2zz02UGbGtN676mZK/eGAOl1tO0T5c+jcMhcADpbn9WKbSKP6xYY00UNX+H4SaU
 qgvnmLV3dmSAKJ6EvSuGThTyFQkuu7vByZaj3scuXHF6MAldGdcTNH7mMZDOMIkgOTvb
 YgdA==
X-Gm-Message-State: AOJu0YxsmaKukBjhp5HbntTfQQH/O3FytqwTvQJRYHjfWg84keYpc/x6
 8vsdLcagjVL0q28nXjiJSYCtJIqYV03zGxbZFdq1lUNRuco=
X-Google-Smtp-Source: AGHT+IFpIvgePP61j0BZ8HPLvVIfwxxQKHXf7WaMmip4XCYqbUhFhOqGMTRTm6HKxlKg24IdSGv4TIHxyBr5yimVs1A=
X-Received: by 2002:a19:6452:0:b0:500:a08e:2fd3 with SMTP id
 b18-20020a196452000000b00500a08e2fd3mr10684899lfj.21.1696835747825; Mon, 09
 Oct 2023 00:15:47 -0700 (PDT)
Original-Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 9 Oct 2023 07:15:47 +0000
Received-SPF: pass client-ip=2a00:1450:4864:20::134;
 envelope-from=stefankangas@gmail.com; helo=mail-lf1-x134.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, 
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:272127
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/272127>

Severity: wishlist

I propose optionally releasing a new version of packages on
NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
it mandatory, at the very least not initially, because it would break
too many existing workflows.

The standard feature to do that in git would be a signed git tag.
However, (Non-)GNU ELPA currently rebuilds package tarballs every time
the "Version" comment header is updated, while git tags are ignored.

Forwarded from

    https://lists.gnu.org/r/emacs-devel/2023-02/msg00120.html