[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security in the emacs package ecosystem

From: Ihor Radchenko
Subject: Re: Security in the emacs package ecosystem
Date: Sat, 18 Feb 2023 10:57:34 +0000

Stefan Kangas <stefankangas@gmail.com> writes:

>> 2. Allow users to demand package.el to verify signatures when
>>    downloading packages. Interested users can then increase their
>>    security by rejecting packages without .sig file.
> Maybe I'm missing something, but isn't that `package-check-signature'?

It is. I found it shortly after sending my message.

> Its current default is `allow-unsigned', however, which is about as
> useful for security purposes as if it was nil.  I think we should
> consider changing it to t in Emacs 30.

If the default is t, users will be forced to have OpenPGP installed.
Maybe the default should be like t, but only when OpenPGP is available.

Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]