[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security in the emacs package ecosystem
From: |
Ihor Radchenko |
Subject: |
Re: Security in the emacs package ecosystem |
Date: |
Sat, 18 Feb 2023 10:57:34 +0000 |
Stefan Kangas <stefankangas@gmail.com> writes:
>> 2. Allow users to demand package.el to verify signatures when
>> downloading packages. Interested users can then increase their
>> security by rejecting packages without .sig file.
>
> Maybe I'm missing something, but isn't that `package-check-signature'?
It is. I found it shortly after sending my message.
> Its current default is `allow-unsigned', however, which is about as
> useful for security purposes as if it was nil. I think we should
> consider changing it to t in Emacs 30.
If the default is t, users will be forced to have OpenPGP installed.
Maybe the default should be like t, but only when OpenPGP is available.
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/04
- Re: Security in the emacs package ecosystem, Stefan Kangas, 2023/02/04
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/17
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/17
- Re: Security in the emacs package ecosystem, Stefan Kangas, 2023/02/17
- Re: Security in the emacs package ecosystem,
Ihor Radchenko <=
- Re: Security in the emacs package ecosystem, Eli Zaretskii, 2023/02/18
- Re: Security in the emacs package ecosystem, Richard Stallman, 2023/02/20
- Re: Security in the emacs package ecosystem, Po Lu, 2023/02/20
- Re: Security in the emacs package ecosystem, chad, 2023/02/20
- Making `package-check-signature' more restrictive by default, Stefan Kangas, 2023/02/18