[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] package.el: check tarball signature

From: Ted Zlatanov
Subject: Re: [PATCH] package.el: check tarball signature
Date: Wed, 02 Oct 2013 06:41:28 -0400
User-agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)

On Wed, 02 Oct 2013 16:16:04 +0900 Daiki Ueno <address@hidden> wrote: 

DU> I've read the discussion and patches, but it's still unclear to me.
DU> Your latest(?) patch (package-archive-signed-3.patch) has
DU> package--create-detached-signature, but nobody calls it.  For what
DU> purpose would you need signature generation?

So the maintainer can create a signature from Emacs instead of
externally.  The signer is intended to be a maintainer after review, not
a package creator.

DU> Or, perhaps you wanted to develop a user interface to upload tarballs
DU> with signature?  Then it should be go into package-x.el instead of
DU> package.el, I suppose.

It's something you would run on the ELPA server, not at upload time.

I thought it belonged nicely in package.el.

DU> Anyway, I'm a bit surprised that there are few researches of existing
DU> packaging systems which already utilize GPG signature, such as Debian
DU> and Fedora.  AFAIK, those systems do not require signing operation in
DU> their installer UI.

package.el is not just an installer UI, it's a full package manager.

>> In addition I started on the EPG interaction you've finished, so you can
>> probably start with my patch and fix the EPG-related pieces and any
>> other issues instead of writing your own.

DU> I'm sorry, I couldn't find anything I can reuse in your patch.  It even
DU> succeeds signature verification when GPG reports bad signatures.

That's one of the EPG-related pieces I mentioned need fixing.  But at
this point your v2 patch has done the work so there's no point in arguing.

DU> Also, why did you choose ".gpgsig" extension rather than ".sig",
DU> which has already been used on ftp.gnu.org for a decade?

I think the extension name is not that important, but here specifically
I wanted to indicate it's generated by GPG.  .sig will obviously work
exactly the same way.

DU> And I think it's too much to modify package--with-work-buffer to
DU> check signatures of all files downloaded.

I disagree, but please implement what you believe will do the work of
checking the signatures for packages (tarballs and individual) and the
package index.  That's the goal; the implementation details don't
matter too much.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]