bug#61277: FR: ELPA security - Restrict package builds to signed git com

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#61277: FR: ELPA security - Restrict package builds to signed git com

From:	Eli Zaretskii
Subject:	bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Date:	Tue, 07 Feb 2023 14:10:42 +0200

> Cc: 61277@debbugs.gnu.org, stefan@marxist.se, yantar92@posteo.net,
>  monnier@iro.umontreal.ca
> From: Richard Stallman <rms@gnu.org>
> Date: Mon, 06 Feb 2023 22:56:35 -0500
> 
>   > My git commits are usually signed, so one could check the signature of
>   > each commit which leads to a package build. This feature could be opt-in
>   > for now, enabled via an attribute :signature in the elpa-packages
>   > configuration. Maybe elpa-packages could store the fingerprint(s) of the
>   > expected GPG key(s)?
> 
> What do other maintainers think of this?

I don't have an opinion.  Frankly, I don't really understand what
would signing commits give in this regard, given that people who
install a package normally install a tarball, they don't clone the Git
repository.  I also don't think the goals were stated clearly, so it's
hard to reason about this.  But then I'm nowhere near being an expert
on this stuff, so I could easily miss something important.

> Should we move this to emacs-devel?  A specific bug ticket
> is not the right place for such an important topic.

Agreed.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Daniel Mendler, 2023/02/04
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Ihor Radchenko, 2023/02/05
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/06
  - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Ihor Radchenko, 2023/02/07
    - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Eli Zaretskii, 2023/02/07
    - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/08
    - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Ihor Radchenko, 2023/02/09
    - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/11
  - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Eli Zaretskii <=
  - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Kangas, 2023/02/12
    - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Daniel Mendler, 2023/02/12
    - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/15
    - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/15
    - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Kangas, 2023/02/15
    - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Monnier, 2023/02/15
    - bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/25

Prev by Date: bug#61281: Double backquote expansion and ", " (was: bug#61281: “`(a \, b)” equals to “`(a . , b)”)
Next by Date: bug#61235: 30.0.50; tree-sit: `treesit-node-check' lacks a way to tell if a node belongs to a deleted parser
Previous by thread: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Next by thread: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Index(es):
- Date
- Thread