bug#17625: 24.4.50; All installed packages marked "unsigned", no archive

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#17625: 24.4.50; All installed packages marked "unsigned", no archive

From:	Glenn Morris
Subject:	bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date:	Sat, 31 May 2014 13:42:27 -0400
User-agent:	Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)

Thinking about it, I don't see how this is supposed to work.
People don't upload tarfiles to elpa.gnu.org.
They check code into Savannah, then elpa.gnu.org automatically checks it
out and makes tarfiles.
So any signing could only happen on elpa.gnu.org, automatically.
So if someone hacks elpa.gnu.org, they can hack the signing process too.
So all signing does AFAICS is protect against a man-in-the-middle
attack where someone impersonates elpa.gnu.org. Which the use of ssl
certs should already protect against?

[Prev in Thread]

Current Thread

[Next in Thread]

bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Eric Abrahamsen, 2014/05/28
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
  - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris <=
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/31
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/31
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/31
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/31
- bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
  - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Glenn Morris, 2014/05/30
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Achim Gratz, 2014/05/30
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Stefan Monnier, 2014/05/30
    - bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed, Achim Gratz, 2014/05/30

Prev by Date: bug#17497: 24.4.50; TTY menu glitches
Next by Date: bug#16433: Test case for newline cache corruption
Previous by thread: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Next by thread: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Index(es):
- Date
- Thread