[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Whose keys go on elpa/gnupg/pubring.gpg?
From: |
Kelly Dean |
Subject: |
Whose keys go on elpa/gnupg/pubring.gpg? |
Date: |
Thu, 08 Jan 2015 03:36:40 +0000 |
Just the package repositories' keys (elpa, melpa, marmalade)?
In that case, where do individual package maintainers' keys go?
Or is the package manager only intended to support verification of the
repositories' signatures, but not package maintainers' signatures?
If package maintainers' keys are supposed to go on that keyring, then
package-refresh-contents gives no assurance that the repository's key signed
the archive-contents file; it only assures that some random package maintainer
(any whose key is on the keyring) decided to sign the file, perhaps after
inserting some of his own goodies. Needless to say, this makes pranks a little
too easy.
If the keyring is supposed to contain only keys of people the user trusts to
run code, then technically this isn't a vulnerability, but it still isn't the
right thing to do. Emacs should record which key is for which repository, and
only accept signatures made by the right key.
- Whose keys go on elpa/gnupg/pubring.gpg?,
Kelly Dean <=