[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: In Support of ELPA
|
From: |
Ted Zlatanov |
|
Subject: |
Re: In Support of ELPA |
|
Date: |
Thu, 13 Jul 2017 11:05:49 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) |
On Thu, 13 Jul 2017 08:23:27 -0400 Richard Stallman <address@hidden> wrote:
RS> [[[ To any NSA and FBI agents reading my email: please consider ]]]
RS> [[[ whether defending the US Constitution against all enemies, ]]]
RS> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
SM> I find it is important for GNU ELPA not to *pull* from outside hosts
SM> that are not under our control. Instead code should be pushed to it by
SM> people who have write access (hence take on the responsibility of paying
SM> attention to copyright and such).
>> Can GnuPG signatures satisfy that requirement so the code can be pulled?
RS> The question is so vague that I can't relate it to the issue at hand.
RS> GPG signatures delivered by whom, when, signing what, to achieve what
RS> purpose?
Sorry for the vagueness.
I mean that maintainers of packages can use GnuPG signatures in Git to
sign a particular tag. So maybe that's enough to let the GNU ELPA pull
instead of requiring maintainers to push, because the signature will
guarantee that the code has been reviewed for copyright and other
requirements. The verification can be automated.
I think a pull-based system like that would reduce friction and increase
contributions, because maintainers won't have to get access to elpa.git
or push anything. They would just do a release tag as part of their
normal workflow.
Ted
- In Support of ELPA, Phillip Lord, 2017/07/11
- Re: In Support of ELPA, Phillip Lord, 2017/07/13
- Re: In Support of ELPA, Stefan Monnier, 2017/07/13
- Re: In Support of ELPA, Thien-Thi Nguyen, 2017/07/14
- Re: In Support of ELPA, Richard Stallman, 2017/07/14