GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits

Previous Next

Full log

Message #17 received at 61277 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: rms <at> gnu.org
Cc: mail <at> daniel-mendler.de, 61277 <at> debbugs.gnu.org, stefan <at> marxist.se,
 yantar92 <at> posteo.net, monnier <at> iro.umontreal.ca
Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed
 git commits
Date: Tue, 07 Feb 2023 14:10:42 +0200

> Cc: 61277 <at> debbugs.gnu.org, stefan <at> marxist.se, yantar92 <at> posteo.net,
>  monnier <at> iro.umontreal.ca
> From: Richard Stallman <rms <at> gnu.org>
> Date: Mon, 06 Feb 2023 22:56:35 -0500
> 
>   > My git commits are usually signed, so one could check the signature of
>   > each commit which leads to a package build. This feature could be opt-in
>   > for now, enabled via an attribute :signature in the elpa-packages
>   > configuration. Maybe elpa-packages could store the fingerprint(s) of the
>   > expected GPG key(s)?
> 
> What do other maintainers think of this?

I don't have an opinion.  Frankly, I don't really understand what
would signing commits give in this regard, given that people who
install a package normally install a tarball, they don't clone the Git
repository.  I also don't think the goals were stated clearly, so it's
hard to reason about this.  But then I'm nowhere near being an expert
on this stuff, so I could easily miss something important.

> Should we move this to emacs-devel?  A specific bug ticket
> is not the right place for such an important topic.

Agreed.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.