[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] package.el: check tarball signature
From: |
Daiki Ueno |
Subject: |
Re: [PATCH] package.el: check tarball signature |
Date: |
Wed, 02 Oct 2013 21:22:53 +0900 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux) |
Ted Zlatanov <address@hidden> writes:
> DU> For what purpose would you need signature generation?
>
> So the maintainer can create a signature from Emacs instead of
> externally. The signer is intended to be a maintainer after review, not
> a package creator.
I'm fine with signing with dput for Debian and gnupload for GNU, who
else of you really wants that feature. Reference?
> It's something you would run on the ELPA server, not at upload time.
I'd rather use other scripting language to do such a batch job.
> package.el is not just an installer UI, it's a full package manager.
Why the uploading part is separated into package-x.el then?
> DU> I'm sorry, I couldn't find anything I can reuse in your patch. It even
> DU> succeeds signature verification when GPG reports bad signatures.
>
> That's one of the EPG-related pieces I mentioned need fixing. But at
> this point your v2 patch has done the work so there's no point in arguing.
Thanks for understanding. I should have been involved in this earlier.
What I'm really surprised is no progress on this for almost one year.
> DU> Also, why did you choose ".gpgsig" extension rather than ".sig",
> DU> which has already been used on ftp.gnu.org for a decade?
>
> I think the extension name is not that important, but here specifically
> I wanted to indicate it's generated by GPG. .sig will obviously work
> exactly the same way.
It's important, if we would like to use common tools like gnupload too.