From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: Proposal to include obligatory PGP verification of packages from any repository Date: Thu, 22 Oct 2020 17:25:21 -0400 Message-ID: References: <20201019124335.GC19325@protected.rcdrun.com> <20201019163827.GG19325@protected.rcdrun.com> <20201019174745.GJ19325@protected.rcdrun.com> <20201019190452.GO19325@protected.rcdrun.com> <20201019210205.GT19325@protected.rcdrun.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="34834"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Cc: "Philip K." , rms@gnu.org, thibaut.verron@gmail.com, mve1@runbox.com, emacs-devel@gnu.org, Stefan Kangas , Dmitry Gutov To: Jean Louis Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Oct 22 23:27:09 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kVi73-0008wz-5J for ged-emacs-devel@m.gmane-mx.org; Thu, 22 Oct 2020 23:27:09 +0200 Original-Received: from localhost ([::1]:52266 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kVi72-0000FA-6y for ged-emacs-devel@m.gmane-mx.org; Thu, 22 Oct 2020 17:27:08 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:60226) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kVi5U-0007iE-Lq for emacs-devel@gnu.org; Thu, 22 Oct 2020 17:25:32 -0400 Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:7133) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kVi5S-0000EM-4Z; Thu, 22 Oct 2020 17:25:31 -0400 Original-Received: from pmg3.iro.umontreal.ca (localhost [127.0.0.1]) by pmg3.iro.umontreal.ca (Proxmox) with ESMTP id 96167441229; Thu, 22 Oct 2020 17:25:24 -0400 (EDT) Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1]) by pmg3.iro.umontreal.ca (Proxmox) with ESMTP id 0ED47440652; Thu, 22 Oct 2020 17:25:23 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca; s=mail; t=1603401923; bh=OrNZ1gWBT1ybn36A9dK2H0lCBTZZO8f0n2nDGuGktsg=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=EN30T37LzzsihC9wAqHhXNttgPYOJX70j91mhm3m73cwF3y5sV0F6ghp1XckWnj/L 3os2gjG64AofjsQM2z+hcorjjRUqJSczrei5MvPN8RIBPloNh3ugb35lNXdzf4lcpk V6MNlFeN22gKssqsigPcA3kpFViBETMS1K70kJ7eYBQRCDE+E4ZZ2d0M0dEka5O5Jr J3KHD3ZXMFoTfzAIIwIonQ2Xlcq0zgW1FMCoWHZ1D0zr3FsPc1jl/KUoPVqIR/pL5w uEO5kvH4cb/+uLLFERhm4ViLhjXedI2+H2beuiH6QE2a7OEGdDZR7hoaHxIyRPWCN6 +oFBQHKvv60+w== Original-Received: from alfajor (unknown [157.52.9.240]) by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 71BC1120124; Thu, 22 Oct 2020 17:25:22 -0400 (EDT) In-Reply-To: (Jean Louis's message of "Tue, 20 Oct 2020 10:40:18 +0300") Received-SPF: pass client-ip=132.204.25.50; envelope-from=monnier@iro.umontreal.ca; helo=mailscanner.iro.umontreal.ca X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/22 17:25:24 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Spam_score_int: -42 X-Spam_score: -4.3 X-Spam_bar: ---- X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:258319 Archived-At: >> >> > Is there a policy that GNU ELPA packages should be signed? >> >> Not sure what that would mean: *we* sign it, so there's no policy to >> >> enforce. At most there are bugs to fix if the sigs are missing >> >> or incorrect. >> > It would be good to implement the policy. >> I don't know what that means (neither "the policy" nor "implement"). > Rules of maintenance simply said: So by "implement" you mean: write it in the doc that describes the ELPA protocol? > - that every request to any ELPA goes over SSL connection, to totally > disable non-SSL connections to archives. Many countries spy on their > citizens, and in many of those countries citizens are using > encryption features, even it could be illegal to use encryption. By > using non-SSL connection or allowing such, possibility is there that > user get in danger of life. The part I don't understand here is "or allowing such". I see the danger of using a non-encrypted connection but not the danger of allowing such. >> >> > What I expect is a method for user to easily verify and know by which >> >> > key was which package signed, such function should exist. >> >> What does Debian do in this respect? >> > There are ways to verify package authenticity, >> How? What does "package authenticity" mean? >> Do you get to see which key signed which package? > I skip this, I am sure you know it. No, I don't, that's why I asked. More specifically, from where I sit, I don't see much difference between the way Debian does it and the way GNU ELPA does it. And as a Debian user I don't know how to "easily verify" nor "know by which key". >> > Vasilij pointed out how it should be done. Verifications in Debian or >> > Archlinux how I see it, happen in real time during installation and >> > that is by default. >> Right, just as we do with GNU ELPA, AFAICT. > It is not by default surprisingly to me. It is by default in my book. > I had to turn on the option to have packages verified for signatures. I think those users who posted questions about signature verification failures back when we changed to a new key are evidence to the contrary. >> The problem is not to create signatures (which we do on our own machines >> where we can easily make sure PGP is installed) but to verify them. > Maybe gnutls offers that API, I cannot know technically, I could see > the API is there. Patch welcome (as long as it doesn't end up reimplementing part of GPG). Stefan