[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ELPA security

From: Ted Zlatanov
Subject: Re: ELPA security
Date: Tue, 12 Mar 2013 14:29:37 -0400
User-agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux)

On Tue, 08 Jan 2013 18:30:50 -0500 Ted Zlatanov <address@hidden> wrote: 

TZ> On Tue, 08 Jan 2013 17:46:51 -0500 Stefan Monnier <address@hidden> wrote: 
SM> I do wonder about key management, tho: the GNU ELPA key (note: not
SM> "maintainer" because the key does not belong to any human being)
SM> will not last for ever.
>>> I thought the maintainers would have their own keys, and they would sign
>>> a GNU ELPA "signing subkey" that's only used for releasing.

SM> I'm sufficiently unsophisticated that I don't really know what
SM> that means.  I understands keys can expire and can be revoked, but that
SM> doesn't say how the end-user will deal with such a situation.

SM> We need some way to update the signing key in a trustworthy way.

TZ> OK, I'll prepare a workflow and offer it for public review as part of
TZ> the POC.

FYI, I plan to start on the ELPA security (both in code and workflow)
after Daniel Hackney's contribution to standardize package.el's
internals is merged or retracted.  I'll try to keep the code changes


reply via email to

[Prev in Thread] Current Thread [Next in Thread]