Re: ELPA security

From:

Paul Nathan

Subject:

Re: ELPA security

Date:

Sun, 6 Jan 2013 22:20:59 -0800

On Sun, Jan 6, 2013 at 10:09 PM, Jambunathan K <address@hidden> wrote:

I am thinking how many of the existing ELPA repositories will go to the
extent of getting a signature from a legal entity. Mostly they are
"wannabe-s" or individual efforts.

Unless I am entirely foolish, which is always possible, the idea of having a legal entity effective notarize the code is not the idea. The general idea is that the individual (or the package repository maintainer) would use GPG to sign their code (perhaps with bzr, git, hg, or directly with gpg), and this pub key would be available for the user to download, much like Launchpad does for the Debian infrastructure.

I am pretty sure that reliability is not the concern in this thread, but protecting against malicious behavior, since public/private key crypto is under consideration.

I am sure that if I am wrong in any of this, more learned and experienced emacs-devel members will instruct me.

Kind regards,
Paul

Re: ELPA security, Achim Gratz, 2013/01/05

Re: ELPA security, Ted Zlatanov, 2013/01/06
- Re: ELPA security, Paul Nathan, 2013/01/07
  - Re: ELPA security, Jambunathan K, 2013/01/07
  - Re: ELPA security, Paul Nathan, 2013/01/07
  - Re: ELPA security, Jambunathan K, 2013/01/07
  - Re: ELPA security, Paul Nathan <=
  - Re: ELPA security, Stephen J. Turnbull, 2013/01/07
  - Re: ELPA security, chad, 2013/01/07
  - Re: ELPA security, Ted Zlatanov, 2013/01/07
  - Re: ELPA security, Stephen J. Turnbull, 2013/01/07
  - Re: ELPA security, Ted Zlatanov, 2013/01/07
  - Re: ELPA security, Ted Zlatanov, 2013/01/07
  - Re: ELPA security, Stefan Monnier, 2013/01/07
  - Re: ELPA security, Ted Zlatanov, 2013/01/08
  - Re: ELPA security, Stefan Monnier, 2013/01/08
  - Re: ELPA security, Ted Zlatanov, 2013/01/08