|
From: | Glenn Morris |
Subject: | bug#17625: 24.4.50; All installed packages marked "unsigned", no archive listed |
Date: | Sat, 31 May 2014 13:42:27 -0400 |
User-agent: | Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) |
Thinking about it, I don't see how this is supposed to work. People don't upload tarfiles to elpa.gnu.org. They check code into Savannah, then elpa.gnu.org automatically checks it out and makes tarfiles. So any signing could only happen on elpa.gnu.org, automatically. So if someone hacks elpa.gnu.org, they can hack the signing process too. So all signing does AFAICS is protect against a man-in-the-middle attack where someone impersonates elpa.gnu.org. Which the use of ssl certs should already protect against?
[Prev in Thread] | Current Thread | [Next in Thread] |