[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ELPA security
|
From: |
Stefan Monnier |
|
Subject: |
Re: ELPA security |
|
Date: |
Tue, 08 Jan 2013 15:59:33 -0500 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux) |
>> Actually, I see a problem with this scheme, now that we also keep around
>> older versions of the packages. So maybe it's better to keep the
>> signatures in a separate file, next to the signed file (e.g. have foo.tar
>> and foo.tar.gpgsig).
> Then maybe the file listed in the package vector should be the *.gpgsig
> one, since otherwise it becomes easy to bypass the check by filtering
> out any traces of the signature file.
Right, we'd need to indicate somewhere that the sig should be
present, indeed.
A simple way to do that is to tell package.el directly, e.g. via
`package-archives' or just by declaring that all ELPA archives should
always have such signatures (they're pretty easy to add, so I'd expect
marmalade and melpa to adjust pretty quickly).
Stefan
- Re: ELPA security, (continued)
- Re: ELPA security, Ted Zlatanov, 2013/01/08
- Re: ELPA security, Stefan Monnier, 2013/01/08
- Re: ELPA security, Ted Zlatanov, 2013/01/08
- Re: ELPA security, Stefan Monnier, 2013/01/08
- Re: ELPA security, Ted Zlatanov, 2013/01/08
- Re: ELPA security, Stefan Monnier, 2013/01/08
- Re: ELPA security, Ted Zlatanov, 2013/01/08
- Re: ELPA security, Stefan Monnier, 2013/01/08
- Re: ELPA security, Achim Gratz, 2013/01/08
- Re: ELPA security, Ted Zlatanov, 2013/01/08
- Re: ELPA security,
Stefan Monnier <=