From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Kelly Dean Newsgroups: gmane.emacs.devel Subject: Whose keys go on elpa/gnupg/pubring.gpg? Date: Thu, 08 Jan 2015 03:36:40 +0000 Message-ID: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1420688290 25311 80.91.229.3 (8 Jan 2015 03:38:10 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 8 Jan 2015 03:38:10 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Jan 08 04:38:04 2015 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y93uk-0002SO-KZ for ged-emacs-devel@m.gmane.org; Thu, 08 Jan 2015 04:37:38 +0100 Original-Received: from localhost ([::1]:43898 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y93uk-0002lg-2R for ged-emacs-devel@m.gmane.org; Wed, 07 Jan 2015 22:37:38 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:54940) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y93ug-0002lZ-Ob for emacs-devel@gnu.org; Wed, 07 Jan 2015 22:37:35 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y93uc-0008BR-KC for emacs-devel@gnu.org; Wed, 07 Jan 2015 22:37:34 -0500 Original-Received: from relay5-d.mail.gandi.net ([2001:4b98:c:538::197]:35660) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y93uc-0008BL-EC for emacs-devel@gnu.org; Wed, 07 Jan 2015 22:37:30 -0500 Original-Received: from mfilter24-d.gandi.net (mfilter24-d.gandi.net [217.70.178.152]) by relay5-d.mail.gandi.net (Postfix) with ESMTP id AD99A41C053 for ; Thu, 8 Jan 2015 04:37:29 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter24-d.gandi.net Original-Received: from relay5-d.mail.gandi.net ([217.70.183.197]) by mfilter24-d.gandi.net (mfilter24-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id u3rFOgMv+2jO for ; Thu, 8 Jan 2015 04:37:28 +0100 (CET) X-Originating-IP: 162.248.99.114 Original-Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net [162.248.99.114]) (Authenticated sender: kelly@prtime.org) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 4A62741C060 for ; Thu, 8 Jan 2015 04:37:27 +0100 (CET) X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4b98:c:538::197 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:181044 Archived-At: Just the package repositories' keys (elpa, melpa, marmalade)? In that case, where do individual package maintainers' keys go? Or is the package manager only intended to support verification of the repositories' signatures, but not package maintainers' signatures? If package maintainers' keys are supposed to go on that keyring, then package-refresh-contents gives no assurance that the repository's key signed the archive-contents file; it only assures that some random package maintainer (any whose key is on the keyring) decided to sign the file, perhaps after inserting some of his own goodies. Needless to say, this makes pranks a little too easy. If the keyring is supposed to contain only keys of people the user trusts to run code, then technically this isn't a vulnerability, but it still isn't the right thing to do. Emacs should record which key is for which repository, and only accept signatures made by the right key.