GNU bug report logs - #17625
details of package signing mechanism

Previous Next

Package: emacs;

Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>

Date: Thu, 29 May 2014 03:12:01 UTC

Severity: important

Tags: security

Found in version 24.4.50

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

Message #48 received at 17625 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: Eric Abrahamsen <eric <at> ericabrahamsen.net>, 17625 <at> debbugs.gnu.org
Subject: Re: bug#17625: 24.4.50;
 All installed packages marked "unsigned", no archive listed
Date: Sat, 31 May 2014 17:28:16 -0400

Stefan Monnier wrote:

> I guess we could move the archive-generation process to another machine,

I won't pretend to know what I'm talking about, but I think that's the
kind of thing you have to do if this is to have any real value.
And for an inherently-not-very-secure environment like Emacs, is it worth it?

> AFAIK we currently use http://elpa.gnu.org/packages/, so no SSL
> involved.

Right. Will it Just Work to change that to https?

> I don't enough about SSL certs to be sure whether it would provide
> comparable guarantees to signed packages.

I think SSL would verify that you are talking to the server that you
thought you were talking too, and that no-one had injected anything in
between you and it. Which is all that gpg-signed packages would do, if
the machine that hosts the packages also does the signing (AFAICS).
This bug report was last modified 10 years and 237 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.