GNU bug report logs - #17625
details of package signing mechanism

Previous Next

Package: emacs;

Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>

Date: Thu, 29 May 2014 03:12:01 UTC

Severity: important

Tags: security

Found in version 24.4.50

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ted Zlatanov <tzz <at> lifelogs.com>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: Daiki Ueno <ueno <at> gnu.org>, 17625 <at> debbugs.gnu.org
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Thu, 26 Jun 2014 14:59:20 -0400

On Thu, 26 Jun 2014 12:50:35 -0400 Stefan Monnier <monnier <at> iro.umontreal.ca> wrote: 

>> I think it's helpful to indicate if packages are signed--unless they
>> must be signed by default, which is currently not the case.

SM> There seems to be a misunderstanding: the current "unsigned" mention
SM> (which I recently disabled) indicates whether an *already installed*
SM> package had its signature checked when it was installed.

SM> Whereas the feature you're discussing seems to be to indicate which
SM> candidates for installation have a signature available for checking
SM> (this is not implemented, AFAICT).

Thank you for clarifying, you're right. After installation we don't have
a way to verify a package's contents, do we? Is that worth pursuing?

Is there a plan to implement the latter feature and can I help? I recall
some discussions months ago but no definite plan.

Ted
This bug report was last modified 10 years and 236 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.