package.el + DVCS for security and convenience (was: ELPA security)

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

package.el + DVCS for security and convenience (was: ELPA security)

From:	Ted Zlatanov
Subject:	package.el + DVCS for security and convenience (was: ELPA security)
Date:	Sat, 22 Dec 2012 14:37:13 -0500
User-agent:	Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux)

I propose to require signatures for ELPA packages and make package.el
aware of signatures:

http://doc.bazaar.canonical.com/beta/en/user-guide/gpg_signatures.html

(the same idea for Git: http://git-scm.com/book/en/Git-Basics-Tagging)

The key is to make package.el talk to a repository, not to a web site.

Then, package.el can verify the history of the package as a series of
revisions and verify their signatures.  That would require much better
integration with Bazaar and Git for package.el, but I actually think
that's a good thing and would give users convenient tools like seeing
the history of a package with all the commits.

Maybe `vc-dir' already has code to do this, so package.el can simply
ride on top of it.

This has several benefits:

- doesn't introduce new infrastructure or ELPA/Emacs packages

- is entirely optional to package.el, so repositories and individual
  packages within them can choose to use this mechanism

- does not depend on a central authority like SSL

- if the tools to verify the GPG signature are not available, we can
  fall back to warning the user instead of failing altogether

Ted

[Prev in Thread]

Current Thread

[Next in Thread]

ELPA security, George Kadianakis, 2012/12/09
- Re: ELPA security, Nic Ferrier, 2012/12/09
- Re: ELPA security, Ted Zlatanov, 2012/12/21
  - Re: ELPA security, Xue Fuqiao, 2012/12/21
  - Re: ELPA security, Bastien, 2012/12/22
    - Re: ELPA security, Xue Fuqiao, 2012/12/22
    - Re: ELPA security, Stephen J. Turnbull, 2012/12/22
    - Re: ELPA security, Bastien, 2012/12/22
    - Re: ELPA security, Bastien, 2012/12/22
    - package.el + DVCS for security and convenience (was: ELPA security), Ted Zlatanov <=
    - Re: package.el + DVCS for security and convenience, Nic Ferrier, 2012/12/24
    - Re: package.el + DVCS for security and convenience, Bastien, 2012/12/24
    - Re: package.el + DVCS for security and convenience, Ted Zlatanov, 2012/12/24
    - Re: package.el + DVCS for security and convenience, Xue Fuqiao, 2012/12/24
    - Re: package.el + DVCS for security and convenience, Stefan Monnier, 2012/12/24
    - Re: package.el + DVCS for security and convenience, Ted Zlatanov, 2012/12/24
    - Re: package.el + DVCS for security and convenience, Stephen J. Turnbull, 2012/12/24
    - Re: package.el + DVCS for security and convenience, Ted Zlatanov, 2012/12/26
    - Re: package.el + DVCS for security and convenience, Stephen J. Turnbull, 2012/12/26
    - Re: package.el + DVCS for security and convenience, Xue Fuqiao, 2012/12/27

Prev by Date: Re: Git to Bzr - what works?
Next by Date: Re: [PATCH] Unify fn and var help to make learning elisp a little easier
Previous by thread: Re: ELPA security
Next by thread: Re: package.el + DVCS for security and convenience
Index(es):
- Date
- Thread