[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] package.el: check tarball signature

From: Eli Zaretskii
Subject: Re: [PATCH] package.el: check tarball signature
Date: Mon, 30 Sep 2013 22:58:13 +0300

> From: Daiki Ueno <address@hidden>
> Date: Mon, 30 Sep 2013 15:48:16 -0400
> Well, I still don't understand why this is advertised as such a
> difficult problem, particularly why package.el would need sign operation
> with Emacs.  Am I missing something?
> Perhaps it might make sense to discuss with some code.  Here it is.
> The code verifies a detached signature NAME-VERSION.tar.sig with a
> trusted keyring located under ~/.emacs.d/elpa/gnupg/.  That's it.
> For uploading packages, we could simply use the same mechanism as
> gnupload in Gnulib.
> It's actually a 10-minute work at an airport lobby and tested only with
> the local package archive.

Thanks, but please add a defcustom to disable this check (e.g.,
because gnupg isn't installed, and isn't going to be).

In general, I think .sig files are there for those who want to verify
the packages, but users should not be forced to do that as a
prerequisite for downloading.  (And no, the y-or-n-p question doesn't
cut it: it's a nuisance to have to answer that question every time.)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]