[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Whose keys go on elpa/gnupg/pubring.gpg?

From: Kelly Dean
Subject: Re: Whose keys go on elpa/gnupg/pubring.gpg?
Date: Thu, 08 Jan 2015 06:40:28 +0000

Stefan Monnier wrote:
>> In that case, where do individual package maintainers' keys go?
> Nowhere: the signatures only certify that this is the file that was
> created on elpa.gnu.org.

That's only the case if elpa.gnu.org is the only repository whose key is on the 
keyring, since package-refresh-contents trusts any repository's key on the 
keyring to sign any other repository's archive-contents file. Again, 
technically not a vulnerability, but still not good.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]