all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Ted Zlatanov <tzz@lifelogs.com>
To: emacs-devel@gnu.org
Subject: Re: ELPA security
Date: Mon, 17 Jun 2013 03:23:00 -0400	[thread overview]
Message-ID: <m2obb5qjzf.fsf@lifelogs.com> (raw)
In-Reply-To: 871u815wkz.fsf@uwakimon.sk.tsukuba.ac.jp

On Mon, 17 Jun 2013 10:56:28 +0900 "Stephen J. Turnbull" <stephen@xemacs.org> wrote: 

SJT> Stefan Monnier writes:
>> And maybe automatically eliminate an archive from that "not signed"
>> list if we ever find a signature in it.

SJT> If this is about security rather than adding to your BrightShinyThings
SJT> collection,

It's ALWAYS about bright-shiny-things, programmers are magpies :)

SJT> you should have a signed-and-verified-and-checked-for-
SJT> expired-or-revoked-on-$DATE list, and eliminate any packages from
SJT> the list if they fail any of the hyphenated conditions.

SJT> And of course you probably want $DATE to change frequently.

SJT> And the list should be signed....

I'd rather not build a certificate infrastructure ourselves.  CRLs are
especially tricky.  Trusting a maintainer signature at the archive level
and verifying it for each package when it's downloaded seems like a good
compromise for Emacs.

Ted




  reply	other threads:[~2013-06-17  7:23 UTC|newest]

Thread overview: 101+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-09 14:41 ELPA security George Kadianakis
2012-12-09 21:00 ` Nic Ferrier
2012-12-21 14:32 ` Ted Zlatanov
2012-12-21 22:12   ` Xue Fuqiao
2012-12-22  5:07   ` Bastien
2012-12-22  6:17     ` Xue Fuqiao
2012-12-22 12:34       ` Stephen J. Turnbull
2012-12-22 13:03         ` Bastien
2012-12-22 13:24           ` Bastien
2012-12-22 19:37             ` package.el + DVCS for security and convenience (was: ELPA security) Ted Zlatanov
2012-12-24 12:53               ` package.el + DVCS for security and convenience Nic Ferrier
2012-12-24 12:55                 ` Bastien
2012-12-24 13:38                   ` Ted Zlatanov
2012-12-24 13:39                   ` Xue Fuqiao
2012-12-24 16:17               ` Stefan Monnier
2012-12-24 17:46                 ` Ted Zlatanov
2012-12-25  1:03                   ` Stephen J. Turnbull
2012-12-26 14:22                     ` Ted Zlatanov
2012-12-27  3:06                       ` Stephen J. Turnbull
2012-12-27  8:56                         ` Xue Fuqiao
2012-12-31 11:18                         ` Ted Zlatanov
2012-12-31 12:32                           ` Stephen J. Turnbull
2012-12-31 13:50                             ` Ted Zlatanov
2012-12-31 16:47                               ` Stephen J. Turnbull
2012-12-31 21:41                                 ` Ted Zlatanov
2012-12-29  6:19                   ` Stefan Monnier
2012-12-31 11:22                     ` Ted Zlatanov
2013-01-03 16:41                       ` Stefan Monnier
2013-01-04 16:05                         ` Ted Zlatanov
2013-01-04 18:11                           ` Stefan Monnier
2013-01-04 19:06                             ` Ted Zlatanov
2013-01-05  3:25                               ` Stephen J. Turnbull
2013-01-06 19:20                                 ` Ted Zlatanov
2013-01-07  2:03                                   ` Stephen J. Turnbull
2013-01-07 14:47                                     ` Ted Zlatanov
2013-01-08  1:44                                       ` Stephen J. Turnbull
2013-01-08 15:15                                         ` Ted Zlatanov
2013-01-08 17:53                                           ` Stephen J. Turnbull
2013-01-08 18:46                                             ` Ted Zlatanov
2013-01-08 21:20                                             ` Stefan Monnier
2013-01-09  2:37                                               ` Stephen J. Turnbull
2013-01-08  2:20                                       ` Stephen J. Turnbull
2013-01-08 14:05                                         ` Xue Fuqiao
2013-01-04 22:21                           ` Xue Fuqiao
2012-12-31 20:06               ` Re:package.el + DVCS for security and convenience (was: ELPA security) Phil Hagelberg
2012-12-31 22:50                 ` package.el + DVCS for security and convenience Ted Zlatanov
2012-12-22 16:20   ` ELPA security Stefan Monnier
2012-12-26 17:32     ` Paul Nathan
2012-12-31 11:50       ` Ted Zlatanov
2012-12-31 12:34         ` Stephen J. Turnbull
2012-12-31 13:39         ` Package signing infrastructure suggestion (was Re: ELPA security) Nic Ferrier
2012-12-31 22:32           ` Ted Zlatanov
2012-12-31 23:01             ` Xue Fuqiao
2012-12-31 19:48         ` ELPA security Tom Tromey
2012-12-31 19:57           ` Drew Adams
2012-12-31 22:19             ` Ted Zlatanov
2012-12-31 22:15           ` Ted Zlatanov
2013-01-05 16:46   ` Achim Gratz
2013-01-06 19:12     ` Ted Zlatanov
2013-01-07  5:32       ` Paul Nathan
2013-01-07  5:47         ` Jambunathan K
2013-01-07  5:53           ` Paul Nathan
2013-01-07  6:09             ` Jambunathan K
2013-01-07  6:20               ` Paul Nathan
2013-01-07  7:12               ` Stephen J. Turnbull
2013-01-07  7:18               ` chad
2013-01-07 14:34               ` Ted Zlatanov
2013-01-07  6:57           ` Stephen J. Turnbull
2013-01-07 14:35           ` Ted Zlatanov
2013-01-07 15:01         ` Ted Zlatanov
2013-01-08  3:07           ` Stefan Monnier
2013-01-08 14:47             ` Ted Zlatanov
2013-01-08 16:57               ` Stefan Monnier
2013-01-08 17:30                 ` Ted Zlatanov
2013-01-08 20:50                   ` Stefan Monnier
2013-01-08 21:30                     ` Ted Zlatanov
2013-01-08 22:46                       ` Stefan Monnier
2013-01-08 23:30                         ` Ted Zlatanov
2013-03-12 18:29                           ` Ted Zlatanov
2013-01-08 17:00               ` Stefan Monnier
2013-01-08 17:59                 ` Achim Gratz
2013-01-08 18:37                   ` Ted Zlatanov
2013-01-08 20:59                   ` Stefan Monnier
2013-06-16 11:18                     ` Ted Zlatanov
2013-06-16 23:12                       ` Stefan Monnier
2013-06-17  1:56                         ` Stephen J. Turnbull
2013-06-17  7:23                           ` Ted Zlatanov [this message]
2013-06-17 15:54                             ` Stephen J. Turnbull
2013-06-28 15:34                               ` Ted Zlatanov
2013-06-17 14:34                           ` Stefan Monnier
2013-06-17  7:20                         ` Ted Zlatanov
2013-06-19  5:02                           ` Ted Zlatanov
2013-06-19 12:38                             ` Stefan Monnier
2013-06-23 11:58                             ` Ted Zlatanov
2013-06-23 16:41                               ` Stefan Monnier
2013-06-28 15:47                                 ` Ted Zlatanov
2013-06-28 16:28                                   ` Nic Ferrier
2013-06-28 22:49                                   ` Stefan Monnier
2013-06-24  3:44                               ` Daiki Ueno
2013-06-28 15:32                                 ` Ted Zlatanov
2013-06-28 16:15                                   ` Daiki Ueno

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m2obb5qjzf.fsf@lifelogs.com \
    --to=tzz@lifelogs.com \
    --cc=emacs-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.