Re: [PATCH] package.el: check tarball signature

[Eli Zaretskii]

> From: Ted Zlatanov <address@hidden>
> Date: Sat, 05 Oct 2013 06:11:51 -0400
> 
> On Sat, 05 Oct 2013 10:09:25 +0300 Eli Zaretskii <address@hidden> wrote: 
> 
> >> From: Ted Zlatanov <address@hidden>
> >> Date: Fri, 04 Oct 2013 17:14:44 -0400
> >> 
> >> >> Actually, let's wait.  If all turn out well, most/all ELPA archives will
> >> >> start providing signatures in the not too distant future and there'll be
> >> >> no need for per-archive settings (and we can change the default to t).
> >> 
> EZ> Are you saying that verification will not need gpg be installed?
> >> 
> >> If my work with libnettle progresses well, I think we'll be able to at
> >> least verify GPG signatures without calling out to GnuPG or other tools
> >> on all the platforms that have libnettle+libhogweed (any platforms with
> >> GnuTLS support AFAIK).
> 
> EZ> And what about users whose Emacs doesn't have GnuTLS?  Are we saying
> EZ> they will not be able to install packages from ELPA without being
> EZ> annoyed by prompts and error messages?
> 
> No one has said that AFAIK.

Stefan did, see above.

> My suggestion was to give users the choice (per archive) to always,
> maybe, or never verify packages.  Currently this choice is global in
> Daiki Ueno's changes that were committed recently, but it's still a
> choice.

Daiki's default is not t.