bug#17625: 24.4.50; All installed packages marked "unsigned", no archive

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#17625: 24.4.50; All installed packages marked "unsigned", no archive

From:	Stefan Monnier
Subject:	bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date:	Sat, 31 May 2014 16:19:32 -0400
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux)

> So any signing could only happen on elpa.gnu.org, automatically.

That's the intention, indeed.

> So if someone hacks elpa.gnu.org, they can hack the signing process too.

I guess we could move the archive-generation process to another machine,
but yes, if the machine the generates the archive is hacked, then all
bets are off.

> So all signing does AFAICS is protect against a man-in-the-middle
> attack where someone impersonates elpa.gnu.org.  Which the use of ssl
> certs should already protect against?

AFAIK we currently use http://elpa.gnu.org/packages/, so no
SSL involved.  I don't enough about SSL certs to be sure whether it
would provide comparable guarantees to signed packages.


        Stefan

[Prev in Thread]

Current Thread

[Next in Thread]

bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Eric Abrahamsen, 2014/05/28
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
  - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/31
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/31
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier <=
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/31
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/31
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
  - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Achim Gratz, 2014/05/30
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Achim Gratz, 2014/05/30
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30

Prev by Date: bug#15614: [Sébastien Gross] Patch correctif bug#15614
Next by Date: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Previous by thread: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Next by thread: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Index(es):
- Date
- Thread