[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] package.el: check tarball signature
From: |
Ted Zlatanov |
Subject: |
Re: [PATCH] package.el: check tarball signature |
Date: |
Fri, 04 Oct 2013 12:19:25 -0400 |
User-agent: |
Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) |
On Fri, 04 Oct 2013 11:46:30 +0900 Daiki Ueno <address@hidden> wrote:
DU> Ted Zlatanov <address@hidden> writes:
>> Just one code comment:
>>
>> +(defcustom package-check-signature 'allow-unsigned
>> + "Whether to check package signatures when installing."
>> + :type '(choice (const nil :tag "Never")
>> + (const allow-unsigned :tag "Allow unsigned")
>> + (const t :tag "Check always"))
>> + :risky t
>> + :group 'package
>> + :version "24.1")
>>
>> IMHO this should be per archive, not global. WDYT?
DU> Yes, actually I was in doubt how to support that. Given that most of
DU> the archives will be eventually signed (as Stefan pointed[1]), I'm now
DU> thinking of:
DU> * remove the package-check-signature option, and
DU> * even if an archive is listed in package-unsigned-archives, check
DU> signature if .sig file is provided (ignoring verification error)
DU> How does this sound? Here is a patch in this direction.
I think it's a good direction. Maybe archives should have trust levels
that the user can provide when adding them, instead of managing
`package-{signed,unsigned}-archives' as external lists:
- signed (always check for .sig and verify it)
- optionally signed (always check for .sig but allow it may not exist)
- not signed (never check for .sig, avoiding extra network requests)
The default trust level would be "signed." Does that work?
The user may also want a keyring per archive, if that could be a
property. I would want it. But it may be expensive to implement.
Ted
- Re: [PATCH] package.el: check tarball signature, (continued)
- Re: [PATCH] package.el: check tarball signature, Thien-Thi Nguyen, 2013/10/02
- Re: [PATCH] package.el: check tarball signature, Stefan Monnier, 2013/10/02
- Re: [PATCH] package.el: check tarball signature, Daiki Ueno, 2013/10/03
- Re: [PATCH] package.el: check tarball signature, Stefan Monnier, 2013/10/04
- Re: [PATCH] package.el: check tarball signature, Eli Zaretskii, 2013/10/04
- Re: [PATCH] package.el: check tarball signature, Ted Zlatanov, 2013/10/04
- Re: [PATCH] package.el: check tarball signature, Daiki Ueno, 2013/10/04
- Re: [PATCH] package.el: check tarball signature, Stephen J. Turnbull, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Ted Zlatanov, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Stephen J. Turnbull, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Ted Zlatanov, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Ted Zlatanov, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Eli Zaretskii, 2013/10/05