[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ELPA security
From: |
Ted Zlatanov |
Subject: |
Re: ELPA security |
Date: |
Mon, 17 Jun 2013 03:23:00 -0400 |
User-agent: |
Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (darwin) |
On Mon, 17 Jun 2013 10:56:28 +0900 "Stephen J. Turnbull" <address@hidden>
wrote:
SJT> Stefan Monnier writes:
>> And maybe automatically eliminate an archive from that "not signed"
>> list if we ever find a signature in it.
SJT> If this is about security rather than adding to your BrightShinyThings
SJT> collection,
It's ALWAYS about bright-shiny-things, programmers are magpies :)
SJT> you should have a signed-and-verified-and-checked-for-
SJT> expired-or-revoked-on-$DATE list, and eliminate any packages from
SJT> the list if they fail any of the hyphenated conditions.
SJT> And of course you probably want $DATE to change frequently.
SJT> And the list should be signed....
I'd rather not build a certificate infrastructure ourselves. CRLs are
especially tricky. Trusting a maintainer signature at the archive level
and verifying it for each package when it's downloaded seems like a good
compromise for Emacs.
Ted
- Re: ELPA security, Ted Zlatanov, 2013/06/16
- Re: ELPA security, Ted Zlatanov, 2013/06/17
- Re: ELPA security, Ted Zlatanov, 2013/06/19
- Re: ELPA security, Stefan Monnier, 2013/06/19
- Re: ELPA security, Ted Zlatanov, 2013/06/23
- Re: ELPA security, Stefan Monnier, 2013/06/23
- Re: ELPA security, Ted Zlatanov, 2013/06/28
- Re: ELPA security, Nic Ferrier, 2013/06/28