bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#35414: 26.2; ELPA packages signed with second, unknown key

From: Brandon Invergo
Subject: bug#35414: 26.2; ELPA packages signed with second, unknown key
Date: Thu, 25 Apr 2019 09:36:45 +0100
User-agent: mu4e 1.2.0; emacs 26.2 
Stefan Monnier writes:

> But that ship has sailed, so I'm going to have to rethink the transition
> to the new key.  Damn!

At this point, it might just suffice to spread the word far and wide
that people using ELPA package verification need to 1) disable
verification, 2) install the transition package, and then 3) re-enable
verification.  A few well-placed announcements should directly reach a
substantial portion of ELPA users, while also potentially getting the
info indexed in search engines for more people to find when they get
affected.

All that said, I'm not an expert but an alternative strategy for the
future might be to extend the life of the original key (gpg --edit-key),
send it to a keyserver (gpg --send-keys), and then write an
"package-update-keyring" procedure that pulls updated public keys from
the keyserver (equivalent to gpg --recv-keys).  Of course, that doesn't
help the people who are not running the latest release that features the
update procedure, so a transitional package on ELPA that provides it
would still be necessary.

--
-brandon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]