GNU bug report logs - #17625
details of package signing mechanism

Previous Next

Package: emacs;

Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>

Date: Thu, 29 May 2014 03:12:01 UTC

Severity: important

Tags: security

Found in version 24.4.50

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 17625 <at> debbugs.gnu.org
Subject: bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed
Date: Mon, 23 Jun 2014 17:21:48 -0400

> Eg if clients automatically (even with prompting) install public keys
> from the package server the first time they connect, then this leaves
> zero protection against a man-in-the-middle attack. I connect to
> something that says it is elpa.gnu.org and install the key it offers.
> I have no way to know if it really is elpa.gnu.org.

SSH does it this way and nobody really complains loudly about it:
basically, you have to trust the initial connection, but not subsequent
ones (since you already have the key at that point).

> (With elpa.gnu.org we should distribute the public key in the Emacs etc/
> directory.)

Yes.


        Stefan

This bug report was last modified 10 years and 236 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #17625 details of package signing mechanism

GNU bug report logs - #17625
details of package signing mechanism