From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.bugs
Subject: bug#17625: 24.4.50;
	All installed packages marked "unsigned", no archive listed
Date: Sat, 31 May 2014 16:19:32 -0400
Message-ID: <jwvvbslln7j.fsf-monnier+emacsbugs@gnu.org>
References: <87tx89ffax.fsf@pellet.i-did-not-set--mail-host-address--so-tickle-me>
	<2vvbsnrgpk.fsf@fencepost.gnu.org>
	<jwv61knfd5n.fsf-monnier+emacsbugs@gnu.org>
	<eybnuddev0.fsf@fencepost.gnu.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; CHARSET=US-ASCII
Content-Transfer-Encoding: 7BIT
X-Trace: ger.gmane.org 1401567629 26450 80.91.229.3 (31 May 2014 20:20:29 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 31 May 2014 20:20:29 +0000 (UTC)
Cc: Eric Abrahamsen <eric@ericabrahamsen.net>, 17625@debbugs.gnu.org
To: Glenn Morris <rgm@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat May 31 22:20:20 2014
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1WqplL-00030Z-Sj
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 31 May 2014 22:20:20 +0200
Original-Received: from localhost ([::1]:32853 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1WqplL-00066Z-Ce
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 31 May 2014 16:20:19 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:51441)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1WqplC-00065m-4b
	for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 16:20:15 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Wqpl5-0002Y3-8q
	for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 16:20:10 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:40321)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Wqpl5-0002Xo-6T
	for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 16:20:03 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Wqpl4-00028v-F2
	for bug-gnu-emacs@gnu.org; Sat, 31 May 2014 16:20:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Stefan Monnier <monnier@iro.umontreal.ca>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 31 May 2014 20:20:02 +0000
Resent-Message-ID: <handler.17625.B17625.14015675828197@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 17625
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 17625-submit@debbugs.gnu.org id=B17625.14015675828197
	(code B ref 17625); Sat, 31 May 2014 20:20:02 +0000
Original-Received: (at 17625) by debbugs.gnu.org; 31 May 2014 20:19:42 +0000
Original-Received: from localhost ([127.0.0.1]:39198 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1Wqpkj-000288-6b
	for submit@debbugs.gnu.org; Sat, 31 May 2014 16:19:42 -0400
Original-Received: from relais.videotron.ca ([24.201.245.36]:45143)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <monnier@iro.umontreal.ca>) id 1WqpkZ-00027p-KO
	for 17625@debbugs.gnu.org; Sat, 31 May 2014 16:19:40 -0400
Original-Received: from fmsmemgm.homelinux.net ([24.201.169.131])
	by VL-VM-MR004.ip.videotron.ca
	(Oracle Communications Messaging Exchange Server 7u4-22.01 64bit (built
	Apr 21
	2011)) with ESMTP id <0N6G00E9HGGJQCC0@VL-VM-MR004.ip.videotron.ca> for
	17625@debbugs.gnu.org; Sat, 31 May 2014 16:19:31 -0400 (EDT)
Original-Received: by fmsmemgm.homelinux.net (Postfix, from userid 20848)
	id 95A2AAE226; Sat, 31 May 2014 16:19:32 -0400 (EDT)
In-reply-to: <eybnuddev0.fsf@fencepost.gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:89828
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/89828>

> So any signing could only happen on elpa.gnu.org, automatically.

That's the intention, indeed.

> So if someone hacks elpa.gnu.org, they can hack the signing process too.

I guess we could move the archive-generation process to another machine,
but yes, if the machine the generates the archive is hacked, then all
bets are off.

> So all signing does AFAICS is protect against a man-in-the-middle
> attack where someone impersonates elpa.gnu.org.  Which the use of ssl
> certs should already protect against?

AFAIK we currently use http://elpa.gnu.org/packages/, so no
SSL involved.  I don't enough about SSL certs to be sure whether it
would provide comparable guarantees to signed packages.


        Stefan