emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] package.el: check tarball signature

From: Daiki Ueno
Subject: Re: [PATCH] package.el: check tarball signature
Date: Wed, 02 Oct 2013 16:16:04 +0900
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux) 
Ted Zlatanov <address@hidden> writes:

> Perhaps you can look at
> http://thread.gmane.org/gmane.emacs.devel/155400/focus=160631 and look
> at my patch there and the surrounding discussion for background.  Stefan
> participated and advised me on most of the desired features.
>
> DU> Perhaps it might make sense to discuss with some code.  Here it is.
>
> DU> The code verifies a detached signature NAME-VERSION.tar.sig with a
> DU> trusted keyring located under ~/.emacs.d/elpa/gnupg/.  That's it.
>
> The signed/unsigned status needs to be shown in the package listing.
> Some archives are signed, some aren't.  Any file from an archive, not
> just a package tarball, should be signed (especially the package index).

Done in my latest patch.

> The management of the special gnupg keychain needs to be abstracted.
> Signatures should be generated from inside Emacs.

I've read the discussion and patches, but it's still unclear to me.
Your latest(?) patch (package-archive-signed-3.patch) has
package--create-detached-signature, but nobody calls it.  For what
purpose would you need signature generation?

Perhaps you wanted to sign locally to toggle "unsigned" status to
"signed" status?  Then why it's not sufficient to just mark the package
as "unsigned" and ask package creaters to sign and upload?

Or, perhaps you wanted to develop a user interface to upload tarballs
with signature?  Then it should be go into package-x.el instead of
package.el, I suppose.

Anyway, I'm a bit surprised that there are few researches of existing
packaging systems which already utilize GPG signature, such as Debian
and Fedora.  AFAIK, those systems do not require signing operation in
their installer UI.

> In addition I started on the EPG interaction you've finished, so you can
> probably start with my patch and fix the EPG-related pieces and any
> other issues instead of writing your own.

I'm sorry, I couldn't find anything I can reuse in your patch.  It even
succeeds signature verification when GPG reports bad signatures.  Also,
why did you choose ".gpgsig" extension rather than ".sig", which has
already been used on ftp.gnu.org for a decade?  And I think it's too
much to modify package--with-work-buffer to check signatures of all
files downloaded.

Regards,
-- 
Daiki Ueno
reply via email to
[Prev in Thread] Current Thread [Next in Thread]