[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] package.el: check tarball signature

From: Daiki Ueno
Subject: Re: [PATCH] package.el: check tarball signature
Date: Wed, 02 Oct 2013 21:22:53 +0900
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)

Ted Zlatanov <address@hidden> writes:

> DU> For what purpose would you need signature generation?
> So the maintainer can create a signature from Emacs instead of
> externally.  The signer is intended to be a maintainer after review, not
> a package creator.

I'm fine with signing with dput for Debian and gnupload for GNU, who
else of you really wants that feature.  Reference?

> It's something you would run on the ELPA server, not at upload time.

I'd rather use other scripting language to do such a batch job.

> package.el is not just an installer UI, it's a full package manager.

Why the uploading part is separated into package-x.el then?

> DU> I'm sorry, I couldn't find anything I can reuse in your patch.  It even
> DU> succeeds signature verification when GPG reports bad signatures.
> That's one of the EPG-related pieces I mentioned need fixing.  But at
> this point your v2 patch has done the work so there's no point in arguing.

Thanks for understanding.  I should have been involved in this earlier.
What I'm really surprised is no progress on this for almost one year.

> DU> Also, why did you choose ".gpgsig" extension rather than ".sig",
> DU> which has already been used on ftp.gnu.org for a decade?
> I think the extension name is not that important, but here specifically
> I wanted to indicate it's generated by GPG.  .sig will obviously work
> exactly the same way.

It's important, if we would like to use common tools like gnupload too.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]