[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] package.el: check tarball signature
From: |
Stephen J. Turnbull |
Subject: |
Re: [PATCH] package.el: check tarball signature |
Date: |
Sat, 05 Oct 2013 14:40:46 +0900 |
Daiki Ueno writes:
> Ted Zlatanov <address@hidden> writes:
>
> > I can put up my current patch for review but I still have HMAC, maybe
> > UMAC, and RSA+DSA+ECC crypto to finish. The hashing methods and the
> > ciphers in ECB, CBC, and CTR modes are done with tests. Should I make a
> > Bazaar branch for that work? Is anyone interested in reviewing it?
>
> Probably I should shut up, but...
Please don't. You seem to be the only sane voice[1] in the crowd.
Not that I agree 100% with everything you've written, but at least you
have the security mindset. Everybody else seems to think this is like
fixing any other bug.
> Does that mean all the package signatures will be signed/verified with
> your own "Emacs internal" signature format, and all the packagers will
> need to use your tool and Emacs, instead of GPG, right?
He has suggested that, but AFAIK he doesn't insist on it.
Still, the whole idea worries me; there's no reason to suppose it will
increase security, and Ted never has seemed to grasp that security is
not a SMOP, nor that security is inherently inconvenient. Quis
custodiat ipsos custodes? Do you really want to put a possible fox in
charge of the security check at the henhouse door?
> That is what I opposed again and again and suggested to use a standard
> format.
+1
Footnotes:
[1] I don't understand security well enough to claim to be a sane
voice, but at least I know how little I know.
- Re: [PATCH] package.el: check tarball signature, (continued)
- Re: [PATCH] package.el: check tarball signature, Stefan Monnier, 2013/10/02
- Re: [PATCH] package.el: check tarball signature, Daiki Ueno, 2013/10/03
- Re: [PATCH] package.el: check tarball signature, Stefan Monnier, 2013/10/04
- Re: [PATCH] package.el: check tarball signature, Eli Zaretskii, 2013/10/04
- Re: [PATCH] package.el: check tarball signature, Ted Zlatanov, 2013/10/04
- Re: [PATCH] package.el: check tarball signature, Daiki Ueno, 2013/10/04
- Re: [PATCH] package.el: check tarball signature,
Stephen J. Turnbull <=
- Re: [PATCH] package.el: check tarball signature, Ted Zlatanov, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Stephen J. Turnbull, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Ted Zlatanov, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Ted Zlatanov, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Eli Zaretskii, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Ted Zlatanov, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Eli Zaretskii, 2013/10/05
- Re: [PATCH] package.el: check tarball signature, Stefan Monnier, 2013/10/05
Re: [PATCH] package.el: check tarball signature, Ted Zlatanov, 2013/10/02