Re: package.el + DVCS for security and convenience

[Stephen J. Turnbull]

Ted Zlatanov writes:
 > On Fri, 04 Jan 2013 13:11:09 -0500 Stefan Monnier <address@hidden> wrote: 
 > 
 > SM> The signatures should be added to the `archive-contents' file.
 > 
 > I think `archive-contents' should contain just the keys allowed to sign
 > the package, not the signatures whole.  Otherwise, for multi-file
 > packages, the file could get large and the format could be awkward.  To
 > support both single-file and multi-file packages, I propose a X.sig
 > signature file for each file X in the package directory hierarchy.

I think that's a lot uglier, and will force people to use special
tools to manipulate non-Emacs structures conveniently (ie, the file
system).  (N.B. I wrote "convenient", not "possible".)  OTOH, the raw
content of archive-contents is rarely of interest to users, and the
only software that knows how to manipulate archive-contents is Emacs,
anyway.  Write a mode to display archive-contents, suppressing
signatures by default, and you're done AFAICS.

 > I think it's better to have the GNU ELPA maintainers sign package
 > releases, not to delegate that to the authors.

I think that's a bad idea.  The responsibility is with the authors in
the first place; you're suggesting that it be delegated to the ELPA
maintainers.  All the ELPA maintainers can do is testify that they
built the package from sources in the repository.  Unless the
repository contains properly signed commits, that's not saying much.
Even then, for users it's a matter of indirect trust.  So for it
actually to be useful to security-conscious users, the ELPA
maintainers would have to vette the package authors -- *all*
committers.

It's really not that much work, and it's work that can and should be
decentralized.