GNU bug report logs - #23513
package.el treats empty signatures as correct

Previous Next

Package: emacs;

Reported by: "L. Dixon" <_ <at> lizzie.io>

Date: Wed, 11 May 2016 18:23:01 UTC

Severity: important

Tags: patch, security

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #29 received at 23513 <at> debbugs.gnu.org (full text, mbox):

From: Dmitry Gutov <dgutov <at> yandex.ru>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 23513 <at> debbugs.gnu.org, "L. Dixon" <_ <at> lizzie.io>
Subject: Re: bug#23513: package.el treats empty signatures as correct
Date: Mon, 16 May 2016 23:19:37 +0300

On 05/16/2016 09:39 PM, Glenn Morris wrote:

>> That's definitely a cause for concern. Glenn, does Hydra lack the
>> necessary libraries to support the package signature check?
>
> Hydra's "gnupg" package is from the 2.0 series, and only provides a
> "gpg2" executable. epg-config--program-alist requires something from the
> 2.1 series. So (epg-find-configuration 'OpenPGP) fails with "no usable
> configuration".
>
> I have added "gnupg1" to the requirements for the coverage build in an
> effort to get a "gpg" executable. We'll see if this helps.

Thanks.

Ideally, we'd have something like (skip-unless (or (getenv "HYDRA") 
(ignore-errors ...)), to make sure the tests like that are _not_ skipped 
on the CI.

Individual contributors may not have gpg installed (although there's a 
case to be made that the package tests should just fail for them), but 
the CI is our last "line of defense", especially for important tests.

> (It would be easier to see if this worked if the coverage job wasn't
> currently failing, as it has been for two weeks, due to network-stream
> changes that cause a test failure - bug#23508. This is a repeated pattern
> that makes me think people don't actually pay much attention to the
> coverage job.)

I've noticed this failure when running tests locally, but it's far from 
my area of expertise.

I think using a separate mailing list for the build status notifications 
might be a mistake. I'm not subscribed to it (not sure why; maybe I've 
missed the announcement), and apparently not many other people are.

There's not a lot traffic there, why not just send it to emacs-devel?
This bug report was last modified 9 years and 8 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.