GNU bug report logs - #66414
GNU ELPA: Require signed tags to release new package versions

Previous Next

Full log

View this message in rfc822 format

From: Eshel Yaron <me <at> eshelyaron.com>
To: Stefan Kangas <stefankangas <at> gmail.com>
Cc: 66414 <at> debbugs.gnu.org, philipk <at> posteo.net, yantar92 <at> posteo.net, monnier <at> iro.umontreal.ca
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Date: Mon, 09 Oct 2023 10:32:41 +0200

Hi,

Stefan Kangas <stefankangas <at> gmail.com> writes:

> Severity: wishlist
>
> I propose optionally releasing a new version of packages on
> NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
> it mandatory, at the very least not initially, because it would break
> too many existing workflows.
>

Do I understand correctly that under this proposal package
authors/maintainers would need to opt-in to such signature validation?

Another option that might be worth considering is to continue releasing
packages, with or without a valid signature, and instead to indicate the
absence or invalidity of a signature in the packages list and in other
package.el commands.  This has the benefit of requiring nothing from
package maintainers while creating a clear incentive to add those
signatures, and it would also give users the chance to employ their
personal judgment on case-by-case basis.  OTOH There are many cases to
consider, such as what happens when a user wants to upgrade a signed
package but the newer version is unsigned.

> The standard feature to do that in git would be a signed git tag.
> However, (Non-)GNU ELPA currently rebuilds package tarballs every time
> the "Version" comment header is updated, while git tags are ignored.
>
> Forwarded from
>
>     https://lists.gnu.org/r/emacs-devel/2023-02/msg00120.html

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.