[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#17625: 24.4.50; All installed packages marked "unsigned", no archive

From: Stefan Monnier
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Sat, 31 May 2014 16:19:32 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux)

> So any signing could only happen on elpa.gnu.org, automatically.

That's the intention, indeed.

> So if someone hacks elpa.gnu.org, they can hack the signing process too.

I guess we could move the archive-generation process to another machine,
but yes, if the machine the generates the archive is hacked, then all
bets are off.

> So all signing does AFAICS is protect against a man-in-the-middle
> attack where someone impersonates elpa.gnu.org.  Which the use of ssl
> certs should already protect against?

AFAIK we currently use http://elpa.gnu.org/packages/, so no
SSL involved.  I don't enough about SSL certs to be sure whether it
would provide comparable guarantees to signed packages.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]