[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] package.el: check tarball signature
From: |
Ted Zlatanov |
Subject: |
Re: [PATCH] package.el: check tarball signature |
Date: |
Wed, 02 Oct 2013 06:41:28 -0400 |
User-agent: |
Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) |
On Wed, 02 Oct 2013 16:16:04 +0900 Daiki Ueno <address@hidden> wrote:
DU> I've read the discussion and patches, but it's still unclear to me.
DU> Your latest(?) patch (package-archive-signed-3.patch) has
DU> package--create-detached-signature, but nobody calls it. For what
DU> purpose would you need signature generation?
So the maintainer can create a signature from Emacs instead of
externally. The signer is intended to be a maintainer after review, not
a package creator.
DU> Or, perhaps you wanted to develop a user interface to upload tarballs
DU> with signature? Then it should be go into package-x.el instead of
DU> package.el, I suppose.
It's something you would run on the ELPA server, not at upload time.
I thought it belonged nicely in package.el.
DU> Anyway, I'm a bit surprised that there are few researches of existing
DU> packaging systems which already utilize GPG signature, such as Debian
DU> and Fedora. AFAIK, those systems do not require signing operation in
DU> their installer UI.
package.el is not just an installer UI, it's a full package manager.
>> In addition I started on the EPG interaction you've finished, so you can
>> probably start with my patch and fix the EPG-related pieces and any
>> other issues instead of writing your own.
DU> I'm sorry, I couldn't find anything I can reuse in your patch. It even
DU> succeeds signature verification when GPG reports bad signatures.
That's one of the EPG-related pieces I mentioned need fixing. But at
this point your v2 patch has done the work so there's no point in arguing.
DU> Also, why did you choose ".gpgsig" extension rather than ".sig",
DU> which has already been used on ftp.gnu.org for a decade?
I think the extension name is not that important, but here specifically
I wanted to indicate it's generated by GPG. .sig will obviously work
exactly the same way.
DU> And I think it's too much to modify package--with-work-buffer to
DU> check signatures of all files downloaded.
I disagree, but please implement what you believe will do the work of
checking the signatures for packages (tarballs and individual) and the
package index. That's the goal; the implementation details don't
matter too much.
Ted