[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#17625: 24.4.50; All installed packages marked "unsigned", no archive
From: |
Stefan Monnier |
Subject: |
bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed |
Date: |
Sat, 31 May 2014 20:58:13 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) |
>> AFAIK we currently use http://elpa.gnu.org/packages/, so no SSL
>> involved.
> Right. Will it Just Work to change that to https?
That would make libgnutls indispensable, and would also require us
getting the cert-verification working correctly.
Nothing significantly more troublesome than requiring users to have GPG
installed and have the ELPA key in the keyring.
And of course we'd need to make sure the "fallback to no checking"
works when gnutls/gpg is not available.
>> I don't enough about SSL certs to be sure whether it would provide
>> comparable guarantees to signed packages.
> I think SSL would verify that you are talking to the server that you
> thought you were talking too,
Right.
> and that no-one had injected anything in between you and it.
Presumably, yes.
> Which is all that gpg-signed packages would do, if the machine that
> hosts the packages also does the signing (AFAICS).
Of course, there are also hypothetical situations, such as someone
setting up a mirror.
Stefan
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Eric Abrahamsen, 2014/05/28
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/31
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/31
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/31
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/31
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed,
Stefan Monnier <=
bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Achim Gratz, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Achim Gratz, 2014/05/30
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30