Re: Whose keys go on elpa/gnupg/pubring.gpg?

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Whose keys go on elpa/gnupg/pubring.gpg?

From:	Kelly Dean
Subject:	Re: Whose keys go on elpa/gnupg/pubring.gpg?
Date:	Thu, 08 Jan 2015 06:40:28 +0000

Stefan Monnier wrote:
>> In that case, where do individual package maintainers' keys go?
>
> Nowhere: the signatures only certify that this is the file that was
> created on elpa.gnu.org.

That's only the case if elpa.gnu.org is the only repository whose key is on the 
keyring, since package-refresh-contents trusts any repository's key on the 
keyring to sign any other repository's archive-contents file. Again, 
technically not a vulnerability, but still not good.

[Prev in Thread]

Current Thread

[Next in Thread]

Whose keys go on elpa/gnupg/pubring.gpg?, Kelly Dean, 2015/01/07
- Re: Whose keys go on elpa/gnupg/pubring.gpg?, Stefan Monnier, 2015/01/08
  - Re: Whose keys go on elpa/gnupg/pubring.gpg?, Kelly Dean <=
    - Re: Whose keys go on elpa/gnupg/pubring.gpg?, Stefan Monnier, 2015/01/08

Prev by Date: What's Elpa? (I.e. what did you decide the name refers to?)
Next by Date: Re: [Emacs-diffs] master bc78ff2 2/2: Use 0 for Qnil
Previous by thread: Re: Whose keys go on elpa/gnupg/pubring.gpg?
Next by thread: Re: Whose keys go on elpa/gnupg/pubring.gpg?
Index(es):
- Date
- Thread