Re: security of the emacs package system, elpa, melpa and marmalade

[Ted Zlatanov]

On Sun, 29 Sep 2013 13:49:36 -0400 Daiki Ueno <address@hidden> wrote: 

DU> Ted Zlatanov <address@hidden> writes:
>> On Mon, 23 Sep 2013 10:17:33 -0400 Stefan Monnier
SM> The current state, AFAIK is that we decided that ELPA servers should
SM> put *.gpg signatures alongside their tarballs and other files, signed
SM> with an "archive" key.  This signature can be used to check that the
SM> package you get indeed comes from that archive.
>> 
SM> In terms of code, it's not implemented yet, AFAIK (IIRC Ted is working
SM> on it).
>> 
>> VERY slowly.  I tried to get back to it, only to find out (see other
>> thread under subject "bad epg.el+GPG2 behavior: unavoidable passphrase
>> pinentry prompt") that GPG2 is practically unusable.  Frustrating.

DU> I don't see much relation between this and what Stefan is talking above.
DU> For signature verification, passphrase prompt shouldn't be used, since
DU> it does not require any secret key operation.

Right.  I didn't mean that GPG2 is blocking the package signing work
specifically.

But if, for any reason, GPG2 decides to pop up passphrase prompts, it
will make package.el unusable *and it can't be disabled*.  So this is a
concern IMO, even if we assume it will not require passphrases, because
it could make the user experience painful outside of our control.  This
is what annoys me about GPG1 or 2, that it's an application and not a
library.  At least GPG1 could be consistently driven in batch mode.

DU> For signing with an "archive" key, do you really want to do that with
DU> Emacs, instead of other handy scripting languages?

Naturally.

>> As I've mentioned in the past, I dislike relying on an external binary
>> like GPG to do encryption so this is pushing me again towards a more
>> built-in Lispy way to do signing of packages.  Opinions welcome,
>> especially if you can think of a way that Emacs can sign files in a
>> similar way to GPG keys in Lisp.

DU> I remember that you asked this in the past, and I answered that it might
DU> make some sense as long as the code produces a signature in a
DU> standardized format as GPG does.  You then responded that you didn't
DU> have enough knowledge to implement it.

DU> I don't think it is a constructive attitude to repeat the same argument
DU> without any outcomes and even omitting the background.

Let's just say I'll implement the OpenPGP protocol emulation as in
http://tools.ietf.org/html/rfc4880 when I get to it, and anyone else
that thinks it's worthwhile can work with me or do it themselves.

I hope you consider that constructive.

Ted