Re: Proposal to include obligatory PGP verification of packages from any repository

[Jean Louis]

* Stefan Monnier <monnier@iro.umontreal.ca> [2020-10-23 00:25]:
> >> >> > Is there a policy that GNU ELPA packages should be signed?
> >> >> Not sure what that would mean: *we* sign it, so there's no policy to
> >> >> enforce.  At most there are bugs to fix if the sigs are missing
> >> >> or incorrect.
> >> > It would be good to implement the policy.
> >> I don't know what that means (neither "the policy" nor "implement").
> > Rules of maintenance simply said:
> 
> So by "implement" you mean: write it in the doc that describes the
> ELPA protocol?

Thank you.

I meant to make it as a rule to sign packages, and that is should be
default in Emacs to accept only sign packages, that increases level of
security rather than leaving it acceptable for users to get unsigned
packages. It is definitely now everything about security, yet it is
one level.

Conditionally, if such feature is accepted in Emacs, than in Packaging
section would be described that packages have to be signed, and not
only that it is one way to increase the security.

> > - that every request to any ELPA goes over SSL connection, to totally
> >   disable non-SSL connections to archives.  Many countries spy on their
> >   citizens, and in many of those countries citizens are using
> >   encryption features, even it could be illegal to use encryption.  By
> >   using non-SSL connection or allowing such, possibility is there that
> >   user get in danger of life.
> 
> The part I don't understand here is "or allowing such".  I see the
> danger of using a non-encrypted connection but not the danger of
> allowing such.

My purpose was to tell you that if Emacs developers allow non-SSL by
default that users are automatically put at certain risks and that is
better to ask for SSL by default.

Users who maybe do not have SSL, they can turn it off for themselves.

> >> >> > What I expect is a method for user to easily verify and know by which
> >> >> > key was which package signed, such function should exist.
> >> >> What does Debian do in this respect?
> >> > There are ways to verify package authenticity,
> >> How?  What does "package authenticity" mean?
> >> Do you get to see which key signed which package?
> > I skip this, I am sure you know it.
> 
> No, I don't, that's why I asked.  More specifically, from where I sit,
> I don't see much difference between the way Debian does it and the way
> GNU ELPA does it.  And as a Debian user I don't know how to "easily
> verify" nor "know by which key".

You are right, it is vague to say easy.By easily I meant that there is
option to verify the package.

Let us see this as reference to some model design:
https://debian-handbook.info/browse/stable/sect.package-authentication.html

> When a third-party package source is added to the sources.list file,
> APT needs to be told to trust the corresponding GPG authentication key

So GNU Emacs users should maybe trust blindly packages from ELPA, but
not all packages by default. To trust other packages they should be
able transparently to import PGP keys and be able to see the
fingerprints.

By seeing fingerprints, users can at least see the same fingerprint on
the website. For better verification it should be necessary to contact
developers and make sure that fingerprints are same and valid.

Packages are meant to be distributable as well, if they are signed,
signature should be also fetched, but that is probably not original
design of Emacs. In my opinion, it should be. Signatures should be
inside of the package directory,
~/emcas.d/elpa/package-0.0/file.el.gpg

As if packages are distributable, one user from club A could simply
distribute packages on CD/USB/SD-card to other, or could transfer by
network. The user receiving packages beyond GNU ELPA archive, even
those without Internet, but having the trusted keys, should be able to
verify that packages have been signed by trusted keys, by central
authority in this case Emacs ELPA and trusted people maintaining
such.

-- 
Jean Louis