[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] package.el: check tarball signature
|
From: |
Eli Zaretskii |
|
Subject: |
Re: [PATCH] package.el: check tarball signature |
|
Date: |
Mon, 30 Sep 2013 22:58:13 +0300 |
> From: Daiki Ueno <address@hidden>
> Date: Mon, 30 Sep 2013 15:48:16 -0400
>
> Well, I still don't understand why this is advertised as such a
> difficult problem, particularly why package.el would need sign operation
> with Emacs. Am I missing something?
>
> Perhaps it might make sense to discuss with some code. Here it is.
>
> The code verifies a detached signature NAME-VERSION.tar.sig with a
> trusted keyring located under ~/.emacs.d/elpa/gnupg/. That's it.
>
> For uploading packages, we could simply use the same mechanism as
> gnupload in Gnulib.
>
> It's actually a 10-minute work at an airport lobby and tested only with
> the local package archive.
Thanks, but please add a defcustom to disable this check (e.g.,
because gnupg isn't installed, and isn't going to be).
In general, I think .sig files are there for those who want to verify
the packages, but users should not be forced to do that as a
prerequisite for downloading. (And no, the y-or-n-p question doesn't
cut it: it's a nuisance to have to answer that question every time.)