Signing local variable lists.

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Signing local variable lists.

From:	Richard Stallman
Subject:	Signing local variable lists.
Date:	Thu, 08 Apr 2004 10:57:46 -0400

To: address@hidden
Subject: Re: Is this a bad idea?
In-Reply-To: <address@hidden>
From: Hugo Gayosso <address@hidden>
Original-Original-Sender: address@hidden
Mail-Host-Address: gnu.org
Organization: The GNU Project
Date: 07 Apr 2004 21:30:06 -0400
Sender: GNU User <address@hidden>
X-Spam-Status: No, hits=-5.4 required=5.0
        tests=IN_REP_TO,PGP_SIGNATURE,QUOTED_EMAIL_TEXT,REFERENCES,
              REPLY_WITH_QUOTES,USER_AGENT_GNUS_UA
        version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Since you have some understanding of security issues,
> what do you think of this suggestion?

>> Ok, I have had an idea which might be stupid or not.  And it might
>> also have political implications which I am too stupid to see.  I just
>> want to put it out.

Ok, I will answer putting any "political implications" aside as I
don't understand exactly what he meant with that.


> How about the following then?
> 
> ;;; Local variables:
> ;;; eval: (put 'preview-defmacro 'lisp-indent-function 'defun)
> ;;; end:
> ;;; gpg-signed: 
> iD8DBQFAbwnJBo350SLJfmgRAhf9AKCFvutpMNxc4oGK/vh2fdVV0MT/dgCeJn66
> ;;; Qc8BXtn2zlGbofY2YMLIAg8=
> ;;; =s5sr
> 
> Something like that.  I would then customize a variable that tells
> whose signatures I trust enough not to get the stupid question again
> and again.

I think it is OK.


* User A attaches the signature to the block.

  This part needs to be worked out exactly which format, the way I did
  it in Emacs was via 'mc-sign' and it generated the following:

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

;;; Local variables:
;;; eval: (put 'preview-defmacro 'lisp-indent-function 'defun)
;;; end:
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAdKlzMNObVRBZveYRAu5JAJ9y+5wq23ikydU0HzrQ9wiJfYW0YQCeNxl0
xX90PViGg/sfK+YxBZ/roVg=
=HShG
- -----END PGP SIGNATURE-----


> Obviously, this also makes it possible for me to look at the local
> variable block once, decide that it is good enough for me, and sign
> it.

I could think in another scheme where the same block can be signed by
different people at the same time, so in theory the more signatures it
has, the most trust you can have that it is the real thing.

The signatures could be stored in the same file, or we could have a
special directory where you store signatures and a table that shows to
which file they belong.


> Any change in local variables will render the signature invalid, of
> course.

I agree.


Hope it helps,
- -- 
Hugo Gayosso
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAdKsdMNObVRBZveYRAochAJ0c8ZltlFw9TpFwZFyxP/qGHmddkgCfaLgm
2oSdu2V02mMrGALMe4H0aMw=
=rrej
-----END PGP SIGNATURE-----

[Prev in Thread]

Current Thread

[Next in Thread]

Signing local variable lists., Richard Stallman <=
- Re: Signing local variable lists., Richard Stallman, 2004/04/09
  - Re: Signing local variable lists., Jason Rumney, 2004/04/10
    - Re: Signing local variable lists., Richard Stallman, 2004/04/11

Prev by Date: Re: lisp/url/url-https.el
Next by Date: Re: It is time for a feature freeze (it is NOW or never).
Previous by thread: tree widget
Next by thread: Re: Signing local variable lists.
Index(es):
- Date
- Thread