[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposal to include obligatory PGP verification of packages from any
From: |
Jean Louis |
Subject: |
Re: Proposal to include obligatory PGP verification of packages from any repository |
Date: |
Tue, 20 Oct 2020 00:02:05 +0300 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
* Stefan Monnier <monnier@iro.umontreal.ca> [2020-10-19 23:23]:
> > I would rather expect message shown, just as it is not shown for
> > unsigned packages.
>
> `package.el` should emit a message when installing a package without any
> signature, since that's the odd and undesirable case. I find it
> perfectly normal not to say anything when the signature check succeeded.
>
> > Regarding packages in GNU ELPA, can I now assume they are all signed?
>
> Of course. It's been that way since Emacs-24.4, IIRC.
>
> > Is there a policy that GNU ELPA packages should be signed?
>
> Not sure what that would mean: *we* sign it, so there's no policy to
> enforce. At most there are bugs to fix if the sigs are missing
> or incorrect.
It would be good to implement the policy.
> > What I expect is a method for user to easily verify and know by which
> > key was which package signed, such function should exist.
>
> What does Debian do in this respect?
There are ways to verify package authenticity, so it is automated and
there is way to verify it package by package, I am on Hyperbola
GNU/Linux-libre, derivative of Archlinux, there is way to use pacman
package manager to verify authenticity.
Vasilij pointed out how it should be done. Verifications in Debian or
Archlinux how I see it, happen in real time during installation and
that is by default.
> > I also expect that such verification should be by default, but default
> > was to accept unsigned, which is security issue in Emacs.
>
> 2 reasons:
> - the sig-checking code (i.e. PGP) might not be installed and we did
> not want to add it as a prerequisite.
You know it better, maybe gnutls can be used as it is how I see it,
part of GNU Emacs here, but may not be part on every OS, I do not
know. It has OpenPGP API:
https://www.gnutls.org/manual/html_node/OpenPGP-API.html
So instead of using external gpg program, maybe you as developers
could use gnutls library and that API to create signatures for
packages in case that PGP/GnuPG cannot work.
> - the signature system was introduced relatively shortly before it was
> deployed for Emacs-24.4, so we did not want to break it for the other
> ELPA archives.
I understand and I find it unfortunate, and still suggest that it
becomes enabled now, and not years there after.
> Regarding the second point, AFAICT Melpa still doesn't sign its
> packages, so its users presumably rely on `https` as their only line
> of defense. One of the main reasons might be that there is/was no easy
> way to add other trusted keys to Emacs's keyring (tho the
> `gnu-elpa-keyring-update` shows it can be done) so even if they signed
> their packages their users would have to take some extra step to add
> their key to the trusted keys.
And that is in best interest of users.
I think that it sounds tedious, yet it is in best interest to users.
- Re: Proposal for an Emacs User Survey, (continued)
- Re: Proposal for an Emacs User Survey, Richard Stallman, 2020/10/18
- Re: Proposal for an Emacs User Survey, Dmitry Gutov, 2020/10/19
- Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Kangas, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository,
Jean Louis <=
- Message not available
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/22
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/22
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/23
- Re: Proposal to include obligatory PGP verification of packages from any repository, Jean Louis, 2020/10/24
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Monnier, 2020/10/24
- Re: Proposal to include obligatory PGP verification of packages from any repository, Stefan Kangas, 2020/10/19
- Re: Proposal to include obligatory PGP verification of packages from any repository, Vasilij Schneidermann, 2020/10/19