GNU bug report logs -
#66369
Change package-check-signature default to t
Previous Next
Full log
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Severity: wishlist
I propose to change the default of `package-check-signature' to t when
gpg is available.
Previous discussion here:
https://lists.gnu.org/r/emacs-devel/2023-02/msg00680.html
The current default is `allow-unsigned', which is about as useful for
security purposes as if it was nil. But if the default is t, users will
be forced to have OpenPGP installed.
In the above discussion, Eli suggested:
> We could also display a warning, once, when we detect that OpenPGP is
> not available and set the value to allow-unsigned. This way the user
> is alerted to the problem and can take action to fix it.
I'd add that we could also prompt in this situation, perhaps something
along the lines of:
"No working PGP installation detected; install package(s) without
verifying signature (unsafe)? (y/n)"
This bug report was last modified 1 year and 253 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.