From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.devel
Subject: Re: ELPA security
Date: Fri, 28 Jun 2013 18:49:15 -0400
Message-ID: <jwvhagh6epz.fsf-monnier+emacs@gnu.org>
References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com>
	<87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com>
	<CALXzQZg953oz_WnvKH8d93fXzetcHZwCNqq7HPRzLyN-NOrusw@mail.gmail.com>
	<87zk0ljaub.fsf@lifelogs.com> <jwvmwwk9y0b.fsf-monnier+emacs@gnu.org>
	<87wqvng299.fsf@lifelogs.com> <jwvip777gt2.fsf-monnier+emacs@gnu.org>
	<87ip77y2s9.fsf@Rainer.invalid>
	<jwvy5g34cvv.fsf-monnier+emacs@gnu.org> <m2li6as3q7.fsf@lifelogs.com>
	<jwvbo75bqyu.fsf-monnier+emacs@gnu.org> <m2sj0hqk3a.fsf@lifelogs.com>
	<m2r4fyofqf.fsf@lifelogs.com> <m2obaxm42g.fsf@lifelogs.com>
	<jwvvc546b4i.fsf-monnier+emacs@gnu.org> <87vc4yme4o.fsf@lifelogs.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1372459763 15997 80.91.229.3 (28 Jun 2013 22:49:23 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Fri, 28 Jun 2013 22:49:23 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Jun 29 00:49:24 2013
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1UshTl-0001LB-Mp
	for ged-emacs-devel@m.gmane.org; Sat, 29 Jun 2013 00:49:21 +0200
Original-Received: from localhost ([::1]:43641 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1UshTl-0003ZO-7a
	for ged-emacs-devel@m.gmane.org; Fri, 28 Jun 2013 18:49:21 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45614)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1UshTi-0003ZI-UI
	for emacs-devel@gnu.org; Fri, 28 Jun 2013 18:49:20 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1UshTh-0006AT-4f
	for emacs-devel@gnu.org; Fri, 28 Jun 2013 18:49:18 -0400
Original-Received: from ironport2-out.teksavvy.com ([206.248.154.182]:64289)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1UshTg-0006AH-W4
	for emacs-devel@gnu.org; Fri, 28 Jun 2013 18:49:17 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EABK/CFFMCppA/2dsb2JhbABEvw4Xc4IeAQEEAVYoCws0EhQYDYhCBsEtjWGDKQOkeoFegxM
X-IPAS-Result: Av4EABK/CFFMCppA/2dsb2JhbABEvw4Xc4IeAQEEAVYoCws0EhQYDYhCBsEtjWGDKQOkeoFegxM
X-IronPort-AV: E=Sophos;i="4.84,565,1355115600"; d="scan'208";a="17416813"
Original-Received: from 76-10-154-64.dsl.teksavvy.com (HELO fmsmemgm.homelinux.net)
	([76.10.154.64])
	by ironport2-out.teksavvy.com with ESMTP/TLS/ADH-AES256-SHA;
	28 Jun 2013 18:49:10 -0400
Original-Received: by fmsmemgm.homelinux.net (Postfix, from userid 20848)
	id ED33AAE2E1; Fri, 28 Jun 2013 18:49:15 -0400 (EDT)
In-Reply-To: <87vc4yme4o.fsf@lifelogs.com> (Ted Zlatanov's message of "Fri, 28
	Jun 2013 11:47:03 -0400")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 206.248.154.182
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:161255
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/161255>

> Sorry, I've been careless with the terminology.

Oh, OK, then I understand, thanks.

> This would let the user or site admin easily install or remove ELPA
> archives without modifying Emacs Lisp code.  `package-archives' would
> remain, but only as a way to specify unsigned archives.

I'd prefer to keep using Elisp for customization, and to handle the keys
in a more automated way.

> I'd rather go with the `etc/elpa/A' scheme above.  Can you please
> consider it?

I really want it to be as seamless as possible for the user, so the user
should not have to setup any key infrastructure herself.

SM> ".gpgsig" is fine, as is ".sig".  Are you talking about the packages's
SM> signatures, or about some ~/.emacs.d/elpa/archive/key.gpgsig?
> P.gpgsig for every file P.

As far as possible, I'd recommend to stick with "*ring.gpg" for the
keyrings, but if it's not possible, it's OK.  Also this should be mostly
transparent to the user since she shouldn't have to manage those files
by hand, so the name isn't that important.


        Stefan