GNU bug report logs - #17625
details of package signing mechanism

Previous Next

Package: emacs;

Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>

Date: Thu, 29 May 2014 03:12:01 UTC

Severity: important

Tags: security

Found in version 24.4.50

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Glenn Morris <rgm <at> gnu.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: Eric Abrahamsen <eric <at> ericabrahamsen.net>, 17625 <at> debbugs.gnu.org
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Sat, 31 May 2014 15:22:40 -0400

Glenn Morris wrote:

> So all signing does AFAICS is protect against a man-in-the-middle
> attack where someone impersonates elpa.gnu.org. Which the use of ssl
> certs should already protect against?

Although I see that package-archives uses http://elpa.gnu.org rather
than https.   :(

This bug report was last modified 10 years and 236 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #17625 details of package signing mechanism

GNU bug report logs - #17625
details of package signing mechanism