all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Whose keys go on elpa/gnupg/pubring.gpg?
@ 2015-01-08  3:36 Kelly Dean
  2015-01-08  5:01 ` Stefan Monnier
  0 siblings, 1 reply; 4+ messages in thread
From: Kelly Dean @ 2015-01-08  3:36 UTC (permalink / raw)
  To: emacs-devel

Just the package repositories' keys (elpa, melpa, marmalade)?

In that case, where do individual package maintainers' keys go?

Or is the package manager only intended to support verification of the repositories' signatures, but not package maintainers' signatures?

If package maintainers' keys are supposed to go on that keyring, then package-refresh-contents gives no assurance that the repository's key signed the archive-contents file; it only assures that some random package maintainer (any whose key is on the keyring) decided to sign the file, perhaps after inserting some of his own goodies. Needless to say, this makes pranks a little too easy.

If the keyring is supposed to contain only keys of people the user trusts to run code, then technically this isn't a vulnerability, but it still isn't the right thing to do. Emacs should record which key is for which repository, and only accept signatures made by the right key.



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-01-08 14:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-08  3:36 Whose keys go on elpa/gnupg/pubring.gpg? Kelly Dean
2015-01-08  5:01 ` Stefan Monnier
2015-01-08  6:40   ` Kelly Dean
2015-01-08 14:20     ` Stefan Monnier

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.