GNU bug report logs - #22089
installs packages with bad signatures

Previous Next

Package: emacs;

Reported by: Glenn Morris <rgm <at> gnu.org>

Date: Thu, 3 Dec 2015 23:11:02 UTC

Severity: important

Found in version 25.0.50

Done: Artur Malabarba <bruce.connor.am <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: bruce.connor.am <at> gmail.com
Cc: tracker <at> debbugs.gnu.org
Subject: bug#22089: closed (installs packages with bad signatures)
Date: Sun, 06 Dec 2015 14:02:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Sun, 6 Dec 2015 14:01:12 +0000
with message-id <CAAdUY-JkFFg0cRuSj-iNCk0pwZFgvTssTVjncO5CHzX3M=yK+A <at> mail.gmail.com>
and subject line Re: bug#22089: installs packages with bad signatures
has caused the debbugs.gnu.org bug report #22089,
regarding installs packages with bad signatures
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
22089: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22089
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Glenn Morris <rgm <at> gnu.org>
To: submit <at> debbugs.gnu.org
Subject: installs packages with bad signatures
Date: Thu, 03 Dec 2015 18:10:09 -0500

Package: emacs
Version: 25.0.50
Severity: important

Emacs happily installs packages with bad gpg signatures.
This has been flagged by the test-suite and automated builds for the past
several weeks. (I feel like asking why we even have those things, for
all the attention they seem to get.)

This seems to be the first failure.
http://hydra.nixos.org/build/27800227

Here is the diff from the previous build, with several package changes:
http://hydra.nixos.org/api/scmdiff?type=git&rev2=937565268a5dc3377d4c9bff6d48eb3645a77160&rev1=70f1fda4ae6abb5e11dcf281738c25f6f5b06061&uri=git%3A%2F%2Fgit.sv.gnu.org%2Femacs.git&branch=

Here's a standalone recipe in the emacs-25 branch:

cd test/automated
mkdir /tmp/foo
HOME=/tmp/foo ../../src/emacs -Q
(setq package-archives `(("gnu" . ,(expand-file-name "data/package/signed/"))))
(package-import-keyring "data/package/key.pub")
(package-initialize)
(package-refresh-contents)
(package-install 'signed-bad)

M-x list-packages    ->  signed-bad installed



[Message part 3 (message/rfc822, inline)]
From: Artur Malabarba <bruce.connor.am <at> gmail.com>
To: Michael Albinus <michael.albinus <at> gmx.de>
Cc: Glenn Morris <rgm <at> gnu.org>, 22089-done <at> debbugs.gnu.org
Subject: Re: bug#22089: installs packages with bad signatures
Date: Sun, 6 Dec 2015 14:01:12 +0000

[Message part 4 (text/plain, inline)]
Ok, thanks Michael.
Closing this then.

[Message part 5 (text/html, inline)]
This bug report was last modified 9 years and 219 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.