From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.bugs Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed Date: Mon, 23 Jun 2014 17:21:48 -0400 Message-ID: References: <87tx89ffax.fsf@pellet.i-did-not-set--mail-host-address--so-tickle-me> <2vvbsnrgpk.fsf@fencepost.gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1403558673 14478 80.91.229.3 (23 Jun 2014 21:24:33 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 23 Jun 2014 21:24:33 +0000 (UTC) Cc: 17625@debbugs.gnu.org To: Glenn Morris Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Jun 23 23:24:26 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1WzBiy-0007YX-Lp for geb-bug-gnu-emacs@m.gmane.org; Mon, 23 Jun 2014 23:24:24 +0200 Original-Received: from localhost ([::1]:56027 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WzBix-0001HU-V8 for geb-bug-gnu-emacs@m.gmane.org; Mon, 23 Jun 2014 17:24:23 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:60698) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WzBij-0001GP-N3 for bug-gnu-emacs@gnu.org; Mon, 23 Jun 2014 17:24:21 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WzBid-00036a-2P for bug-gnu-emacs@gnu.org; Mon, 23 Jun 2014 17:24:09 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:39233) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WzBic-00036Q-VE for bug-gnu-emacs@gnu.org; Mon, 23 Jun 2014 17:24:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1WzBic-00039S-E2 for bug-gnu-emacs@gnu.org; Mon, 23 Jun 2014 17:24:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Monnier Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 23 Jun 2014 21:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17625 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 17625-submit@debbugs.gnu.org id=B17625.140355859812033 (code B ref 17625); Mon, 23 Jun 2014 21:24:02 +0000 Original-Received: (at 17625) by debbugs.gnu.org; 23 Jun 2014 21:23:18 +0000 Original-Received: from localhost ([127.0.0.1]:58616 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WzBht-000380-Ea for submit@debbugs.gnu.org; Mon, 23 Jun 2014 17:23:17 -0400 Original-Received: from mercure.iro.umontreal.ca ([132.204.24.67]:36723) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WzBhr-00037s-5V for 17625@debbugs.gnu.org; Mon, 23 Jun 2014 17:23:15 -0400 Original-Received: from hidalgo.iro.umontreal.ca (hidalgo.iro.umontreal.ca [132.204.27.50]) by mercure.iro.umontreal.ca (Postfix) with ESMTP id 32CC03C061; Mon, 23 Jun 2014 17:22:12 -0400 (EDT) Original-Received: from lechon.iro.umontreal.ca (lechon.iro.umontreal.ca [132.204.27.242]) by hidalgo.iro.umontreal.ca (Postfix) with ESMTP id AAD5C1E5B74; Mon, 23 Jun 2014 17:21:48 -0400 (EDT) Original-Received: by lechon.iro.umontreal.ca (Postfix, from userid 20848) id 8EE00B4167; Mon, 23 Jun 2014 17:21:48 -0400 (EDT) In-Reply-To: (Glenn Morris's message of "Mon, 23 Jun 2014 14:12:49 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) X-DIRO-MailScanner-Information: Please contact the ISP for more information X-DIRO-MailScanner: Found to be clean X-DIRO-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (score=-2.82, requis 5, autolearn=not spam, ALL_TRUSTED -2.82, MC_TSTLAST 0.00) X-DIRO-MailScanner-From: monnier@iro.umontreal.ca X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:90708 Archived-At: > Eg if clients automatically (even with prompting) install public keys > from the package server the first time they connect, then this leaves > zero protection against a man-in-the-middle attack. I connect to > something that says it is elpa.gnu.org and install the key it offers. > I have no way to know if it really is elpa.gnu.org. SSH does it this way and nobody really complains loudly about it: basically, you have to trust the initial connection, but not subsequent ones (since you already have the key at that point). > (With elpa.gnu.org we should distribute the public key in the Emacs etc/ > directory.) Yes. Stefan