[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] package.el: check tarball signature

From: Ted Zlatanov
Subject: Re: [PATCH] package.el: check tarball signature
Date: Fri, 04 Oct 2013 17:14:44 -0400
User-agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)

On Fri, 04 Oct 2013 22:23:06 +0300 Eli Zaretskii <address@hidden> wrote: 

>> From: Stefan Monnier <address@hidden>
>> Date: Thu, 03 Oct 2013 11:01:43 -0400
>> > +(defcustom package-check-signature 'allow-unsigned
>> > +  "Whether to check package signatures when installing."
>> > +  :type '(choice (const nil :tag "Never")
>> > +                (const allow-unsigned :tag "Allow unsigned")
>> > +                (const t :tag "Check always"))
>> > +  :risky t
>> > +  :group 'package
>> > +  :version "24.1")
>> > IMHO this should be per archive, not global.  WDYT?
>> Actually, let's wait.  If all turn out well, most/all ELPA archives will
>> start providing signatures in the not too distant future and there'll be
>> no need for per-archive settings (and we can change the default to t).

EZ> Are you saying that verification will not need gpg be installed?

If my work with libnettle progresses well, I think we'll be able to at
least verify GPG signatures without calling out to GnuPG or other tools
on all the platforms that have libnettle+libhogweed (any platforms with
GnuTLS support AFAIK).

I can put up my current patch for review but I still have HMAC, maybe
UMAC, and RSA+DSA+ECC crypto to finish.  The hashing methods and the
ciphers in ECB, CBC, and CTR modes are done with tests.  Should I make a
Bazaar branch for that work?  Is anyone interested in reviewing it?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]