[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
package.el + DVCS for security and convenience (was: ELPA security)
From: |
Ted Zlatanov |
Subject: |
package.el + DVCS for security and convenience (was: ELPA security) |
Date: |
Sat, 22 Dec 2012 14:37:13 -0500 |
User-agent: |
Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) |
I propose to require signatures for ELPA packages and make package.el
aware of signatures:
http://doc.bazaar.canonical.com/beta/en/user-guide/gpg_signatures.html
(the same idea for Git: http://git-scm.com/book/en/Git-Basics-Tagging)
The key is to make package.el talk to a repository, not to a web site.
Then, package.el can verify the history of the package as a series of
revisions and verify their signatures. That would require much better
integration with Bazaar and Git for package.el, but I actually think
that's a good thing and would give users convenient tools like seeing
the history of a package with all the commits.
Maybe `vc-dir' already has code to do this, so package.el can simply
ride on top of it.
This has several benefits:
- doesn't introduce new infrastructure or ELPA/Emacs packages
- is entirely optional to package.el, so repositories and individual
packages within them can choose to use this mechanism
- does not depend on a central authority like SSL
- if the tools to verify the GPG signature are not available, we can
fall back to warning the user instead of failing altogether
Ted
- ELPA security, George Kadianakis, 2012/12/09
- Re: ELPA security, Nic Ferrier, 2012/12/09
- Re: ELPA security, Ted Zlatanov, 2012/12/21
- Re: ELPA security, Xue Fuqiao, 2012/12/21
- Re: ELPA security, Bastien, 2012/12/22
- Re: ELPA security, Xue Fuqiao, 2012/12/22
- Re: ELPA security, Stephen J. Turnbull, 2012/12/22
- Re: ELPA security, Bastien, 2012/12/22
- Re: ELPA security, Bastien, 2012/12/22
- package.el + DVCS for security and convenience (was: ELPA security),
Ted Zlatanov <=
- Re: package.el + DVCS for security and convenience, Nic Ferrier, 2012/12/24
- Re: package.el + DVCS for security and convenience, Bastien, 2012/12/24
- Re: package.el + DVCS for security and convenience, Ted Zlatanov, 2012/12/24
- Re: package.el + DVCS for security and convenience, Xue Fuqiao, 2012/12/24
- Re: package.el + DVCS for security and convenience, Stefan Monnier, 2012/12/24
- Re: package.el + DVCS for security and convenience, Ted Zlatanov, 2012/12/24
- Re: package.el + DVCS for security and convenience, Stephen J. Turnbull, 2012/12/24
- Re: package.el + DVCS for security and convenience, Ted Zlatanov, 2012/12/26
- Re: package.el + DVCS for security and convenience, Stephen J. Turnbull, 2012/12/26
- Re: package.el + DVCS for security and convenience, Xue Fuqiao, 2012/12/27