Re: Proposal to include obligatory PGP verification of packages from any repository

[Stefan Monnier]

> I would rather expect message shown, just as it is not shown for
> unsigned packages.

`package.el` should emit a message when installing a package without any
signature, since that's the odd and undesirable case.  I find it
perfectly normal not to say anything when the signature check succeeded.

> Regarding packages in GNU ELPA, can I now assume they are all signed?

Of course.  It's been that way since Emacs-24.4, IIRC.

> Is there a policy that GNU ELPA packages should be signed?

Not sure what that would mean: *we* sign it, so there's no policy to
enforce.  At most there are bugs to fix if the sigs are missing
or incorrect.

> What I expect is a method for user to easily verify and know by which
> key was which package signed, such function should exist.

What does Debian do in this respect?

> I also expect that such verification should be by default, but default
> was to accept unsigned, which is security issue in Emacs.

2 reasons:
- the sig-checking code (i.e. PGP) might not be installed and we did
  not want to add it as a prerequisite.
- the signature system was introduced relatively shortly before it was
  deployed for Emacs-24.4, so we did not want to break it for the other
  ELPA archives.

Regarding the second point, AFAICT Melpa still doesn't sign its
packages, so its users presumably rely on `https` as their only line
of defense.  One of the main reasons might be that there is/was no easy
way to add other trusted keys to Emacs's keyring (tho the
`gnu-elpa-keyring-update` shows it can be done) so even if they signed
their packages their users would have to take some extra step to add
their key to the trusted keys.


        Stefan