[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Making `package-check-signature' more restrictive by default
From: |
Stefan Kangas |
Subject: |
Making `package-check-signature' more restrictive by default |
Date: |
Sat, 18 Feb 2023 03:54:22 -0800 |
Ihor Radchenko <yantar92@posteo.net> writes:
> If the default is t, users will be forced to have OpenPGP installed.
> Maybe the default should be like t, but only when OpenPGP is available.
Right. And if we want to make a change like this, I think we should
make sure to coordinate with the MELPA folks as well. It would be
unfortunate if the first thing MELPA users did was to turn this off.
Once that is done, perhaps something like this could work?
diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el
index a0bb5e75393..763f0dcadd0 100644
--- a/lisp/emacs-lisp/package.el
+++ b/lisp/emacs-lisp/package.el
@@ -345,7 +345,7 @@ package-gnupghome-dir
:risky t
:version "26.1")
-(defcustom package-check-signature 'allow-unsigned
+(defcustom package-check-signature (and (epg-find-configuration 'OpenPGP) t)
"Non-nil means to check package signatures when installing.
This also applies to the \"archive-contents\" file that lists the
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/04
- Re: Security in the emacs package ecosystem, Stefan Kangas, 2023/02/04
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/17
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/17
- Re: Security in the emacs package ecosystem, Stefan Kangas, 2023/02/17
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/18
- Re: Security in the emacs package ecosystem, Eli Zaretskii, 2023/02/18
- Re: Security in the emacs package ecosystem, Richard Stallman, 2023/02/20
- Re: Security in the emacs package ecosystem, Po Lu, 2023/02/20
- Re: Security in the emacs package ecosystem, chad, 2023/02/20
- Making `package-check-signature' more restrictive by default,
Stefan Kangas <=