|
From: | Glenn Morris |
Subject: | bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed |
Date: | Mon, 23 Jun 2014 14:12:49 -0400 |
User-agent: | Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) |
PS I won't pretend to know what I am talking about here, but I worry that the combination of automated package signing and automated key installation will make this package-signing feature not worth very much in practice. Eg if clients automatically (even with prompting) install public keys from the package server the first time they connect, then this leaves zero protection against a man-in-the-middle attack. I connect to something that says it is elpa.gnu.org and install the key it offers. I have no way to know if it really is elpa.gnu.org. (With elpa.gnu.org we should distribute the public key in the Emacs etc/ directory.)
[Prev in Thread] | Current Thread | [Next in Thread] |