[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#17625: 24.4.50; All installed packages marked "unsigned", no archive

From: Glenn Morris
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Sat, 31 May 2014 17:28:16 -0400
User-agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)

Stefan Monnier wrote:

> I guess we could move the archive-generation process to another machine,

I won't pretend to know what I'm talking about, but I think that's the
kind of thing you have to do if this is to have any real value.
And for an inherently-not-very-secure environment like Emacs, is it worth it?

> AFAIK we currently use http://elpa.gnu.org/packages/, so no SSL
> involved.

Right. Will it Just Work to change that to https?

> I don't enough about SSL certs to be sure whether it would provide
> comparable guarantees to signed packages.

I think SSL would verify that you are talking to the server that you
thought you were talking too, and that no-one had injected anything in
between you and it. Which is all that gpg-signed packages would do, if
the machine that hosts the packages also does the signing (AFAICS).

reply via email to

[Prev in Thread] Current Thread [Next in Thread]