[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposal to include obligatory PGP verification of packages from any
From: |
Jean Louis |
Subject: |
Re: Proposal to include obligatory PGP verification of packages from any repository |
Date: |
Mon, 19 Oct 2020 19:38:27 +0300 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
* Stefan Kangas <stefankangas@gmail.com> [2020-10-19 18:55]:
> We have signing of packages on the package archive side that is verified
> by default when it exists. See `package-check-signature'. (If I'm not
> mistaken, GNU ELPA signs packages but MELPA doesn't. Please correct me
> if I'm wrong.)
Now I know about that. It was allow-unsigned as default, correct me if
mistaken. The more packages there are around, the more this becomes
potential problem, it is security hole, as warnings about potential
problems are too few.
Now when I turned it on, I cannot see or feel that some package was
verified, I tried installing from ELPA, but did not see any
difference, and cannot find any .sig files.
It would be good for user to get those verifications, as verification
should be doable personally.
Package signing is not ultimate security, it is just one level making
packages more secure.
> Note that package signatures still leaves us open to replay attacks.
> See Bug#19479 and the branch scratch/package-security for an attempt to
> improve the situation.
> I think it would be useful if package archives could implement a
> requirement for signed commits before building a new package. This
> could be optional or mandatory, and would buy us an additional layer of
> protection against compromised developer credentials.
I have seen there apparently good recommendation for improvement of
package security.
But we do not have it.
- Re: Proposal for an Emacs User Survey, (continued)
- Re: Proposal for an Emacs User Survey, Thibaut Verron, 2020/10/18
- Re: Proposal for an Emacs User Survey, Richard Stallman, 2020/10/18
- Re: Proposal for an Emacs User Survey, Philip K., 2020/10/18
- Re: Proposal for an Emacs User Survey, Richard Stallman, 2020/10/18
- Re: Proposal for an Emacs User Survey, Dmitry Gutov, 2020/10/19
- Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Kangas, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository,
Jean Louis <=
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Message not available
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/22
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/22
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/23