GNU logs - #61277, boring messages

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Daniel Mendler <mail@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sat, 04 Feb 2023 18:20:02 +0000
Resent-Message-ID: <handler.61277.B.16755347758093 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: 61277 <at> debbugs.gnu.org
Cc: yantar92@HIDDEN, stefan@HIDDEN, monnier@HIDDEN
X-Debbugs-Original-To: bug-gnu-emacs@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.16755347758093
          (code B ref -1); Sat, 04 Feb 2023 18:20:02 +0000
Received: (at submit) by debbugs.gnu.org; 4 Feb 2023 18:19:35 +0000
Received: from localhost ([127.0.0.1]:43437 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pON8Q-00026T-Up
	for submit <at> debbugs.gnu.org; Sat, 04 Feb 2023 13:19:35 -0500
Received: from lists.gnu.org ([209.51.188.17]:34562)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@HIDDEN>) id 1pON8O-00026K-0M
 for submit <at> debbugs.gnu.org; Sat, 04 Feb 2023 13:19:33 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mail@HIDDEN>)
 id 1pON8I-0006Vr-Kj
 for bug-gnu-emacs@HIDDEN; Sat, 04 Feb 2023 13:19:31 -0500
Received: from server.qxqx.de ([2a01:4f8:121:346::180] helo=mail.qxqx.de)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mail@HIDDEN>)
 id 1pON8D-0002yl-3p
 for bug-gnu-emacs@HIDDEN; Sat, 04 Feb 2023 13:19:26 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=qxqx.de;
 s=mail1392553390; h=Content-Type:MIME-Version:Message-ID:Date:Subject:Cc:To:
 From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:Content-Description
 :Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
 In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=NN9xymQrG2RctoZzJjymv6dTBd2NgsuXh3Oaqa0dtzk=; b=NtJud6QwM/5K/7xCFiXpJ+l6I+
 VMc1AZAidVHnpeSg+0ZPRdzWNh7rW8Lccj1PfwK032FClGEumHQtCfPQHlIs6EJIvRSBjuVV0wzwF
 tk0v/49NU2J92bEIXcK3uq1h3t4RgB6s7R6uoJlSW6sEm9sHxIhh2ie9Rny/8fIisn48=;
From: Daniel Mendler <mail@HIDDEN>
Date: Sat, 04 Feb 2023 19:19:06 +0100
Message-ID: <87pmapqoo5.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2a01:4f8:121:346::180;
 envelope-from=mail@HIDDEN; helo=mail.qxqx.de
X-Spam_score_int: -31
X-Spam_score: -3.2
X-Spam_bar: ---
X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, FORGED_SPF_HELO=1, RCVD_IN_DNSWL_MED=-2.3,
 SPF_HELO_PASS=-0.001, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

As discussed on emacs-devel it would be good if ELPA security could be
improved, preventing potential breaches on the side of the source
repository. This feature becomes more relevant the more packages are
:auto-sync'ed from their source repository.

My git commits are usually signed, so one could check the signature of
each commit which leads to a package build. This feature could be opt-in
for now, enabled via an attribute :signature in the elpa-packages
configuration. Maybe elpa-packages could store the fingerprint(s) of the
expected GPG key(s)?

In the case of a breach, both the SSH and GPG keys may be stolen, which
would allow an attacker to create commits on hosted repositories, such
that the mechanism would not help. However the source repository may
also get compromised via other vectors.

https://lists.gnu.org/archive/html/emacs-devel/2023-02/msg00120.html

Message sent:


Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Daniel Mendler <mail@HIDDEN>
Subject: bug#61277: Acknowledgement (FR: ELPA security - Restrict package
 builds to signed git commits)
Message-ID: <handler.61277.B.16755347758093.ack <at> debbugs.gnu.org>
References: <87pmapqoo5.fsf@HIDDEN>
X-Gnu-PR-Message: ack 61277
X-Gnu-PR-Package: emacs
Reply-To: 61277 <at> debbugs.gnu.org
Date: Sat, 04 Feb 2023 18:20:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 bug-gnu-emacs@HIDDEN

If you wish to submit further information on this problem, please
send it to 61277 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
61277: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D61277
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Ihor Radchenko <yantar92@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sun, 05 Feb 2023 11:20:01 +0000
Resent-Message-ID: <handler.61277.B.167559597421758 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Daniel Mendler <mail@HIDDEN>
Cc: 61277 <at> debbugs.gnu.org, stefan@HIDDEN, monnier@HIDDEN
X-Debbugs-Original-Cc: bug-gnu-emacs@HIDDEN, stefan@HIDDEN, monnier@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.167559597421758
          (code B ref -1); Sun, 05 Feb 2023 11:20:01 +0000
Received: (at submit) by debbugs.gnu.org; 5 Feb 2023 11:19:34 +0000
Received: from localhost ([127.0.0.1]:44165 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pOd3V-0005es-N7
	for submit <at> debbugs.gnu.org; Sun, 05 Feb 2023 06:19:34 -0500
Received: from lists.gnu.org ([209.51.188.17]:36694)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <yantar92@HIDDEN>) id 1pOd3T-0005ej-3q
 for submit <at> debbugs.gnu.org; Sun, 05 Feb 2023 06:19:32 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yantar92@HIDDEN>)
 id 1pOd3S-0004Wr-5p
 for bug-gnu-emacs@HIDDEN; Sun, 05 Feb 2023 06:19:30 -0500
Received: from mout01.posteo.de ([185.67.36.65])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yantar92@HIDDEN>)
 id 1pOd3P-0000hS-OQ
 for bug-gnu-emacs@HIDDEN; Sun, 05 Feb 2023 06:19:29 -0500
Received: from submission (posteo.de [185.67.36.169]) 
 by mout01.posteo.de (Postfix) with ESMTPS id 8ADEE240127
 for <bug-gnu-emacs@HIDDEN>; Sun,  5 Feb 2023 12:19:21 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1675595963; bh=pa20DwQYKne+GYC6G9+HoVdYRr/GmAdGwGEue3RDe8g=;
 h=From:To:Cc:Subject:Date:From;
 b=lYgi8ecWoZg3no+uHSY2QCi/FUDxvOe7u8F+7Eppl372SpBfAuR40Kd3/3TyisNPd
 /c/CVuJYVNbVgrWjy8jlFE1YBR5pwdFr8nDDlZrno5TMWnCa1JBS0tyxDMMK8G8sjD
 dCVQw3muZyjFJNVYy2umeFlFe/+JQXDMLCyZ3wJ8VxPYWNBOG6wdZ/0sT6XP9w5huK
 cFwUX4To9G6rWFRVZHDURcbVmVrWZCi3IkkOZw1uVF7zio3Yqs/Y8ty/chlhkx0iYu
 4tKU8JAfPuyIm1DqwWIW5560cPY1QPkZtp0w1FuVeIFK5w7dlm0JFy/tVJ33oVj2Hd
 jdJ3v3s5ls2Fw==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4P8n3D0RRJz6tmB;
 Sun,  5 Feb 2023 12:19:19 +0100 (CET)
From: Ihor Radchenko <yantar92@HIDDEN>
In-Reply-To: <87pmapqoo5.fsf@HIDDEN>
References: <87pmapqoo5.fsf@HIDDEN>
Date: Sun, 05 Feb 2023 11:19:59 +0000
Message-ID: <87a61se4v4.fsf@localhost>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=185.67.36.65; envelope-from=yantar92@HIDDEN;
 helo=mout01.posteo.de
X-Spam_score_int: -43
X-Spam_score: -4.4
X-Spam_bar: ----
X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Daniel Mendler <mail@HIDDEN> writes:

> My git commits are usually signed, so one could check the signature of
> each commit which leads to a package build. This feature could be opt-in
> for now, enabled via an attribute :signature in the elpa-packages
> configuration. Maybe elpa-packages could store the fingerprint(s) of the
> expected GPG key(s)?

I think that requiring every single commit to be signed is an overkill.
Maybe just the release tags?

I guess, :signature, if optional, may allow multiple levels of
verification:
1. nil :: no verification
2. (tags key1 key2 ...) :: verify release tags to match any of the
   listed GPG keys
3. (commits key1 key2 ...) :: verify every commit   

I am not sure what would be the most reliable way to specify the keys.

Also, people with write access to ELPA repo may be required to sign
their commits -- in the case of security breach if the SSH key gets
stolen, signing may be a barrier to protect altering the elpa-packages
configuration from injecting malicious GPG keys.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Richard Stallman <rms@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Tue, 07 Feb 2023 03:57:01 +0000
Resent-Message-ID: <handler.61277.B61277.167574220430519 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Daniel Mendler <mail@HIDDEN>
Cc: 61277 <at> debbugs.gnu.org, stefan@HIDDEN, yantar92@HIDDEN, monnier@HIDDEN
Reply-To: rms@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.167574220430519
          (code B ref 61277); Tue, 07 Feb 2023 03:57:01 +0000
Received: (at 61277) by debbugs.gnu.org; 7 Feb 2023 03:56:44 +0000
Received: from localhost ([127.0.0.1]:50606 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pPF64-0007wB-1H
	for submit <at> debbugs.gnu.org; Mon, 06 Feb 2023 22:56:44 -0500
Received: from eggs.gnu.org ([209.51.188.92]:39556)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rms@HIDDEN>) id 1pPF61-0007vy-VJ
 for 61277 <at> debbugs.gnu.org; Mon, 06 Feb 2023 22:56:42 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rms@HIDDEN>)
 id 1pPF5v-0001Dg-JK; Mon, 06 Feb 2023 22:56:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From:
 mime-version; bh=JAgKqSZFePsxZy6sKLQAzeH0HYamokRH2b1Ir2nsLh8=; b=QE3T208K1Qp1
 kvXJE4VAK9nrKz2/QVF/epFw2pZ9oa/gdixEcRLEHNBRYlpCsQLz751PH7HmOlakiKqLVTPYKxEjf
 zxck5kHC/xUDpmLkplT2himfbjSLG/cUIzMbTsJtSrZAfh210sJtbrbXlCpOu2095HJ7xgOVKDhLO
 cWC+0ztaJ/QIW3BKt4S401oSatQ1eYxpRrvuPOCv1OcCl5YYWRgVLR4/s3RI+HhTTgAj1efW0yNtj
 VK26q3oJxgcrPVGOnLJQ9IO4mjbz3LFNF/jhqwwOjwGMwiG0iO/juD4FvZlCXbXd1b3KjppC+vdf5
 JJS80l0l9Bt3DWU3b/rJIA==;
Received: from rms by fencepost.gnu.org with local (Exim 4.90_1)
 (envelope-from <rms@HIDDEN>)
 id 1pPF5v-0007YZ-6K; Mon, 06 Feb 2023 22:56:35 -0500
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
In-Reply-To: <87pmapqoo5.fsf@HIDDEN> (message from Daniel Mendler
 on Sat, 04 Feb 2023 19:19:06 +0100)
References: <87pmapqoo5.fsf@HIDDEN>
Message-Id: <E1pPF5v-0007YZ-6K@HIDDEN>
Date: Mon, 06 Feb 2023 22:56:35 -0500
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > As discussed on emacs-devel it would be good if ELPA security could be
  > improved, preventing potential breaches on the side of the source
  > repository. This feature becomes more relevant the more packages are
  > :auto-sync'ed from their source repository.

I agree that we need to clean up the social system for maintaining GNU ELPA
packages.  It should be as clear and documented as that for Emacs core.

  > My git commits are usually signed, so one could check the signature of
  > each commit which leads to a package build. This feature could be opt-in
  > for now, enabled via an attribute :signature in the elpa-packages
  > configuration. Maybe elpa-packages could store the fingerprint(s) of the
  > expected GPG key(s)?

What do other maintainers think of this?

It addresses one ways of handlng GNU ELPA packagesm, but not all GNU
ELPA packages are handled in this way.  What other categories of
packages do we need to consider?

  > In the case of a breach,

Breach of precisely what?  To think about this issue
requires an answer to that question.

                             both the SSH and GPG keys may be stolen, which
  > would allow an attacker to create commits on hosted repositories, such
  > that the mechanism would not help. However the source repository may
  > also get compromised via other vectors.

Is this a problem that has a solution?

Should we move this to emacs-devel?  A specific bug ticket
is not the right place for such an important topic.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Ihor Radchenko <yantar92@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Tue, 07 Feb 2023 11:45:02 +0000
Resent-Message-ID: <handler.61277.B61277.167577024310445 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: rms@HIDDEN
Cc: Daniel Mendler <mail@HIDDEN>, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, monnier@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.167577024310445
          (code B ref 61277); Tue, 07 Feb 2023 11:45:02 +0000
Received: (at 61277) by debbugs.gnu.org; 7 Feb 2023 11:44:03 +0000
Received: from localhost ([127.0.0.1]:51337 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pPMOJ-0002iO-0d
	for submit <at> debbugs.gnu.org; Tue, 07 Feb 2023 06:44:03 -0500
Received: from mout02.posteo.de ([185.67.36.66]:32827)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <yantar92@HIDDEN>) id 1pPMOG-0002hd-Vr
 for 61277 <at> debbugs.gnu.org; Tue, 07 Feb 2023 06:44:01 -0500
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id 732B32406A6
 for <61277 <at> debbugs.gnu.org>; Tue,  7 Feb 2023 12:43:55 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1675770235; bh=pEgQuoitEfX6hRjqpsPJ0ZBQ12uMNsL10jh5CEnLtmU=;
 h=From:To:Cc:Subject:Date:From;
 b=mZ1LXuur8BGiHe/B3gcmN7CmuYBWXRVUwJ3lRRTlR/TR9NxKaVtYoFh3r+0Iudx3k
 eJEHzc//iuj58GpA+b7SKTtdaGMm3PozgI/ZWkdnUzsnlV37jHVqdEwaf3lByJ8Pk0
 Bf385+zB/apXNrmnO+w3DBJPd/4v5oii8O024wsOgSR102KsrXs/UK5Xxyz4X2plqU
 f6KXK8GWHYaUF6FY7k2ajKcoafZSgOD8B25qw9WJByGO8CzRz6FUaZ566koL+9llq+
 baOVJf37060tDETmgTvDCVuELA06/GrYf4FPg/e3zVog+gw/w9STQumqpODEcdCaZ4
 fHQpRZMZ0bCAQ==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4PB1Vd6Htjz6tlh;
 Tue,  7 Feb 2023 12:43:53 +0100 (CET)
From: Ihor Radchenko <yantar92@HIDDEN>
In-Reply-To: <E1pPF5v-0007YZ-6K@HIDDEN>
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN>
Date: Tue, 07 Feb 2023 11:44:31 +0000
Message-ID: <87sffh8zts.fsf@localhost>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Richard Stallman <rms@HIDDEN> writes:

> Should we move this to emacs-devel?  A specific bug ticket
> is not the right place for such an important topic.

This was explicitly requested to be made into a bug ticket on
emacs-devel. See
https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@HIDDEN

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Eli Zaretskii <eliz@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Tue, 07 Feb 2023 12:11:01 +0000
Resent-Message-ID: <handler.61277.B61277.167577185013250 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: rms@HIDDEN
Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, yantar92@HIDDEN, monnier@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.167577185013250
          (code B ref 61277); Tue, 07 Feb 2023 12:11:01 +0000
Received: (at 61277) by debbugs.gnu.org; 7 Feb 2023 12:10:50 +0000
Received: from localhost ([127.0.0.1]:51406 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pPMoD-0003Re-Mk
	for submit <at> debbugs.gnu.org; Tue, 07 Feb 2023 07:10:49 -0500
Received: from eggs.gnu.org ([209.51.188.92]:47842)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1pPMoB-0003RO-IS
 for 61277 <at> debbugs.gnu.org; Tue, 07 Feb 2023 07:10:48 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1pPMo3-0004Q3-DS; Tue, 07 Feb 2023 07:10:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=sbVuMovQAl+9VYeNOQSjjoOoOHYOVSRAlspSGiwpHyU=; b=NZbWGp9VyiYX
 sFGibT1qCgB9g4yV/0dVWtF/Og4jpxM6QW/CvyYDcKI2A3B6evCWOhSQea3mv9eEV0nIzq/iLFc/S
 +fq/VN15WKbsLl4aDJTUxAKKmJ5q0JHnHJA9L7OwSmHvt3kHKepFyNyuguOVyIIEBm4cbBtGkFVo7
 kUlUxpePnvtsJ80Y0u5gr68swC4sc3U21lZ6ZE/ZyZYY9KumeGLEswO4yu/2yNBjSty3hX+abhhKu
 C6ovU8VQUqNlsdcnfWMsU8tzeCOu/L2teZsEm5DhuV04d2BT9MuqiRnIGrvxcOIAmwC/9H3T0e0MT
 HMY/AO7y4Kck6zB73ktQjQ==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1pPMnu-0006jF-8l; Tue, 07 Feb 2023 07:10:31 -0500
Date: Tue, 07 Feb 2023 14:10:42 +0200
Message-Id: <83h6vxptfh.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
In-Reply-To: <E1pPF5v-0007YZ-6K@HIDDEN> (message from Richard
 Stallman on Mon, 06 Feb 2023 22:56:35 -0500)
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN>
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Cc: 61277 <at> debbugs.gnu.org, stefan@HIDDEN, yantar92@HIDDEN,
>  monnier@HIDDEN
> From: Richard Stallman <rms@HIDDEN>
> Date: Mon, 06 Feb 2023 22:56:35 -0500
> 
>   > My git commits are usually signed, so one could check the signature of
>   > each commit which leads to a package build. This feature could be opt-in
>   > for now, enabled via an attribute :signature in the elpa-packages
>   > configuration. Maybe elpa-packages could store the fingerprint(s) of the
>   > expected GPG key(s)?
> 
> What do other maintainers think of this?

I don't have an opinion.  Frankly, I don't really understand what
would signing commits give in this regard, given that people who
install a package normally install a tarball, they don't clone the Git
repository.  I also don't think the goals were stated clearly, so it's
hard to reason about this.  But then I'm nowhere near being an expert
on this stuff, so I could easily miss something important.

> Should we move this to emacs-devel?  A specific bug ticket
> is not the right place for such an important topic.

Agreed.

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Eli Zaretskii <eliz@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Tue, 07 Feb 2023 12:41:02 +0000
Resent-Message-ID: <handler.61277.B61277.167577362525078 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Ihor Radchenko <yantar92@HIDDEN>
Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, rms@HIDDEN, monnier@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.167577362525078
          (code B ref 61277); Tue, 07 Feb 2023 12:41:02 +0000
Received: (at 61277) by debbugs.gnu.org; 7 Feb 2023 12:40:25 +0000
Received: from localhost ([127.0.0.1]:51449 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pPNGq-0006WQ-Tf
	for submit <at> debbugs.gnu.org; Tue, 07 Feb 2023 07:40:25 -0500
Received: from eggs.gnu.org ([209.51.188.92]:52604)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1pPNGo-0006WA-ML
 for 61277 <at> debbugs.gnu.org; Tue, 07 Feb 2023 07:40:23 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1pPNGi-0002f9-8l; Tue, 07 Feb 2023 07:40:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=e23lJ5U+nT0q5OXY1H2LrXadKR0XRg/ygiSJPmDg3QA=; b=o5c+5wn6V9aG
 PC7x5w5glZ9kdqDqq//s5OcTQJA1IMBYBwo9CIcTxS13hiRSfYoqwuBlnQo3Qcr1oqcf7XcmN/2Nl
 /Y7FjynB9rzoTLyUaxUP+4FtYMLbBjsmN4Qu7dxIsolOK3ds1/rlkk7oLyHKUuMKnN4bvw5uWuP/s
 PocsSowm4MlDwfFIcI8MuRakpS57Cjwi3ywlS/U51J3jnan+cb1D2+Fxz1cc8gZcRgBGZVZrt8CU/
 8GhKAFbBrq1c6UQr2CLFYIJApYJ+pqbiHhOZBavaaww3bn4CF+7G3g1vI1pkivjpsRG95An3GaEZs
 BBWJZnddmbi3kwH/o5c5jg==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1pPNGX-0007BK-4L; Tue, 07 Feb 2023 07:40:06 -0500
Date: Tue, 07 Feb 2023 14:40:19 +0200
Message-Id: <83bkm5ps24.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
In-Reply-To: <87sffh8zts.fsf@localhost> (message from Ihor Radchenko on Tue,
 07 Feb 2023 11:44:31 +0000)
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN> <87sffh8zts.fsf@localhost>
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Cc: Daniel Mendler <mail@HIDDEN>, 61277 <at> debbugs.gnu.org,
>  stefan@HIDDEN, monnier@HIDDEN
> From: Ihor Radchenko <yantar92@HIDDEN>
> Date: Tue, 07 Feb 2023 11:44:31 +0000
> 
> Richard Stallman <rms@HIDDEN> writes:
> 
> > Should we move this to emacs-devel?  A specific bug ticket
> > is not the right place for such an important topic.
> 
> This was explicitly requested to be made into a bug ticket on
> emacs-devel. See
> https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@HIDDEN

The bug report is OK, but we want to discuss more general issues, I
think.

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Richard Stallman <rms@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Thu, 09 Feb 2023 04:29:02 +0000
Resent-Message-ID: <handler.61277.B61277.16759169085846 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Ihor Radchenko <yantar92@HIDDEN>
Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, monnier@HIDDEN
Reply-To: rms@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.16759169085846
          (code B ref 61277); Thu, 09 Feb 2023 04:29:02 +0000
Received: (at 61277) by debbugs.gnu.org; 9 Feb 2023 04:28:28 +0000
Received: from localhost ([127.0.0.1]:57183 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pPyXr-0001WE-M4
	for submit <at> debbugs.gnu.org; Wed, 08 Feb 2023 23:28:28 -0500
Received: from eggs.gnu.org ([209.51.188.92]:46144)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rms@HIDDEN>) id 1pPyXk-0001VS-AT
 for 61277 <at> debbugs.gnu.org; Wed, 08 Feb 2023 23:28:22 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rms@HIDDEN>)
 id 1pPyXd-0005jj-Pg; Wed, 08 Feb 2023 23:28:13 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From:
 mime-version; bh=gL7wtouGRjkltWxB6GD+jU0h3NPb5UBCGWr9yyxeHuw=; b=ngs7dHSDyt8n
 BOEGo+CXWzUMk0LDPx0jm8lR1sbuJ31qo3eTArmAvdXxQH8HTaHsCNkCfvxD0u+7atoM+AMVjSB4w
 imMah5yKokLR2myCBwRRls3HVC2sQepP+dvIY1cw77lNuvAFOlANNDy9GBaZQvW9XSuzx43ZEEsid
 +cr+t18N12frsISbH9PxE31CTMNTup3oXaJu7ICgYcIPnszt6aEM3q7faL5fCpu+XSHmrnZlWRvER
 nK9grn47mFqUA8PFvQmZhCBICm+ONZ94LodlPLgJTdV/BdJdWd7ujP0QAu4UiZrA39btdfDxtlVrO
 nBlYQ0LnYJDFad3c16H0Pw==;
Received: from rms by fencepost.gnu.org with local (Exim 4.90_1)
 (envelope-from <rms@HIDDEN>)
 id 1pPyXd-0004dk-EX; Wed, 08 Feb 2023 23:28:13 -0500
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
In-Reply-To: <87sffh8zts.fsf@localhost> (message from Ihor Radchenko on Tue,
 07 Feb 2023 11:44:31 +0000)
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN> <87sffh8zts.fsf@localhost>
Message-Id: <E1pPyXd-0004dk-EX@HIDDEN>
Date: Wed, 08 Feb 2023 23:28:13 -0500
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

I wrote:

  > > Should we move this to emacs-devel?  A specific bug ticket
  > > is not the right place for such an important topic.

You replied:

  > This was explicitly requested to be made into a bug ticket on
  > emacs-devel. See
  > https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@HIDDEN

I looked at that URL but I can't understand what it says.  I see
several ways to parse "This was explicitly requested to be made into a
bug ticket on emacs-devel" so I don't know what it means.  Can you
state your point more explicitly and not tersely?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Ihor Radchenko <yantar92@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Thu, 09 Feb 2023 12:08:01 +0000
Resent-Message-ID: <handler.61277.B61277.167594442922348 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: rms@HIDDEN
Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, monnier@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.167594442922348
          (code B ref 61277); Thu, 09 Feb 2023 12:08:01 +0000
Received: (at 61277) by debbugs.gnu.org; 9 Feb 2023 12:07:09 +0000
Received: from localhost ([127.0.0.1]:57760 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pQ5hl-0005oO-8m
	for submit <at> debbugs.gnu.org; Thu, 09 Feb 2023 07:07:09 -0500
Received: from mout02.posteo.de ([185.67.36.66]:42055)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <yantar92@HIDDEN>) id 1pQ5hj-0005nx-7f
 for 61277 <at> debbugs.gnu.org; Thu, 09 Feb 2023 07:07:07 -0500
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id EE97B24050E
 for <61277 <at> debbugs.gnu.org>; Thu,  9 Feb 2023 13:07:00 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1675944421; bh=620RtGqWMhOWTv5exRRuME+EvFen/Kr+0tmt0Ba3f+0=;
 h=From:To:Cc:Subject:Date:From;
 b=TAfGzSNBj6gnYkAb1iKC2/WXFOmlb+t6kJPxMJblKc2IQImpQfV0zREJW2qyHK5+f
 H5p3aT5aHQq7LIaRH59QEvK4a6su/vV06de+to1OyD9PuIs3QajNKwusF2kcYSIB3t
 DL0bkNg2Xvot+fYDPWtRLJEVNEyrIOF74MBxyC7vK/BLOBLP/hhEpR9ayRAcdbAGps
 yCrqD1SX7qIOmpTMj033F6isInNqoY2rDz+ToXR2pFVmLBb9FOvfxpxmIfHr7Hfohg
 eVqnL47fjccKs200GX1vdchxZNcN44LW7nTQOfjO9o1/td9gyaR6dO6gxGgsPEdlBY
 EWsN0jQu75kIQ==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4PCFwL5WT4z9rxB;
 Thu,  9 Feb 2023 13:06:56 +0100 (CET)
From: Ihor Radchenko <yantar92@HIDDEN>
In-Reply-To: <E1pPyXd-0004dk-EX@HIDDEN>
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN> <87sffh8zts.fsf@localhost>
 <E1pPyXd-0004dk-EX@HIDDEN>
Date: Thu, 09 Feb 2023 12:07:32 +0000
Message-ID: <87pmajavp7.fsf@localhost>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Richard Stallman <rms@HIDDEN> writes:

>   > This was explicitly requested to be made into a bug ticket on
>   > emacs-devel. See
>   > https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@HIDDEN
>
> I looked at that URL but I can't understand what it says.  I see
> several ways to parse "This was explicitly requested to be made into a
> bug ticket on emacs-devel" so I don't know what it means.  Can you
> state your point more explicitly and not tersely?

I meant that Daniel submitted this bug ticket after Stefan's message
stating that

>>>   I think we should add some flag to the build system saying that a
>>>   package should only be released if the new tag has a valid signature...
>>>
>>>   IMO, opening a feature request for this in the bug tracker would be
>>>   useful.  A patch would be even better.

The emacs-devel discussion that includes the topic of this FR has been
started earlier in the thread I linked to. So, there is no need to move
this FR to emacs-devel - it is already being discussed there.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Richard Stallman <rms@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sun, 12 Feb 2023 04:05:01 +0000
Resent-Message-ID: <handler.61277.B61277.16761747001025 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Ihor Radchenko <yantar92@HIDDEN>
Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, monnier@HIDDEN
Reply-To: rms@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.16761747001025
          (code B ref 61277); Sun, 12 Feb 2023 04:05:01 +0000
Received: (at 61277) by debbugs.gnu.org; 12 Feb 2023 04:05:00 +0000
Received: from localhost ([127.0.0.1]:43732 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pR3bn-0000GS-RK
	for submit <at> debbugs.gnu.org; Sat, 11 Feb 2023 23:05:00 -0500
Received: from eggs.gnu.org ([209.51.188.92]:34330)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rms@HIDDEN>) id 1pR3bl-0000GF-Ap
 for 61277 <at> debbugs.gnu.org; Sat, 11 Feb 2023 23:04:57 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rms@HIDDEN>)
 id 1pR3bd-0001WU-TQ; Sat, 11 Feb 2023 23:04:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From:
 mime-version; bh=r+Y5dagIfHiPKE4kVDFZTOqpiKtD3f7qXPu4IyaPdck=; b=p0S6UbReq2wy
 LhIPBzTGPzYV/TBqtFflExcEy5LrlyupksAhf8PnZtOXKDANUWwtORoOcuvkJSJuFe9Q3ECBfOMPo
 UbbVAOdNDDtV+dbHI/XNHjHpm65pAzJMkUBTxrSqqXTYndhiXsCqvhZtYC7rfwvwz5Qd2Q1Z47R9i
 3leLjIVKjDXVPryjttCWgX2TFfBQ3ItHPcFIPrazZRV1uc1xrZWaeeauVszPswA3gUrIc9bk84asx
 do6ih/S85bZidAAf04kgTDr58qWZS1Jy+lP1HOjVIlIpQT6aMiMIbsqdnNhFyyW9OfUrGTEkdniQz
 +3r+zoKVGWM78mjPA6uhGw==;
Received: from rms by fencepost.gnu.org with local (Exim 4.90_1)
 (envelope-from <rms@HIDDEN>)
 id 1pR3bK-0006gy-LL; Sat, 11 Feb 2023 23:04:32 -0500
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
In-Reply-To: <87pmajavp7.fsf@localhost> (message from Ihor Radchenko on Thu,
 09 Feb 2023 12:07:32 +0000)
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN> <87sffh8zts.fsf@localhost>
 <E1pPyXd-0004dk-EX@HIDDEN> <87pmajavp7.fsf@localhost>
Message-Id: <E1pR3bK-0006gy-LL@HIDDEN>
Date: Sat, 11 Feb 2023 23:04:30 -0500
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > I looked at that URL but I can't understand what it says.  I see
  > > several ways to parse "This was explicitly requested to be made into a
  > > bug ticket on emacs-devel" so I don't know what it means.  Can you
  > > state your point more explicitly and not tersely?

  > I meant that Daniel submitted this bug ticket after Stefan's message
  > stating that

  > >>>   I think we should add some flag to the build system saying that a
  > >>>   package should only be released if the new tag has a valid signature...
  > >>>
  > >>>   IMO, opening a feature request for this in the bug tracker would be
  > >>>   useful.  A patch would be even better.

Now I think I understand.

Thanks, Daniel.  That was a useful thing to do.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Stefan Kangas <stefankangas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sun, 12 Feb 2023 06:38:02 +0000
Resent-Message-ID: <handler.61277.B61277.167618383217452 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: rms@HIDDEN, Daniel Mendler <mail@HIDDEN>
Cc: 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.167618383217452
          (code B ref 61277); Sun, 12 Feb 2023 06:38:02 +0000
Received: (at 61277) by debbugs.gnu.org; 12 Feb 2023 06:37:12 +0000
Received: from localhost ([127.0.0.1]:43905 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pR5z5-0004XQ-OA
	for submit <at> debbugs.gnu.org; Sun, 12 Feb 2023 01:37:11 -0500
Received: from mail-oa1-f53.google.com ([209.85.160.53]:37653)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1pR5z1-0004XB-Vp
 for 61277 <at> debbugs.gnu.org; Sun, 12 Feb 2023 01:37:09 -0500
Received: by mail-oa1-f53.google.com with SMTP id
 586e51a60fabf-16ab8581837so11710004fac.4
 for <61277 <at> debbugs.gnu.org>; Sat, 11 Feb 2023 22:37:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=W5kBkWt3m5CzqjBkUERdkeBOoD1OWsJUN6xQ9k3CypQ=;
 b=YapdC1XZn7jbDqMrH+u3qraj0i7Cs2bvCqvQHNEfF/zwCAZ1E+eSOpHrPgfnz1mtpi
 QJtt4UBTh4rEBibn+MS8EVVLvqAOh8QqGDlKVxxVnPuR1K5lSvxcuVrvEY9SsfF3xGJU
 YTcrzkaaFG2n1fHouACQPdEWreWb+cok0sXGQcnMmc2qgrhDNGiLo04eSILPQXpd5FMa
 dWjLYDw5spC9C/UwxL3+Zeh0aMLLiBLl+5JOIySKvaDzKqYSUeufvWhMMjkICDYyV+x0
 qBRrzE9Sr6fnd3TUKdAarLFWuqcME/ETOVmszZYA9VcmWE3CNjyhIoDY1OOmbY1jt0Gu
 eDrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=W5kBkWt3m5CzqjBkUERdkeBOoD1OWsJUN6xQ9k3CypQ=;
 b=JypLRvPcjxkRuMWF2O9/ZXkpizOSV5DodM0yztfYKrZDwxcqJqPGBCk+HnA0Yf1Nwn
 EeSnRLwVU5aLOVFRW/EebdJjXjSEt/zTBWOMsTpxc56ulx6cj7Q4cy7b8xWOMsvyu+vT
 lGuW0DwV0AHVHzE9ZuTC7EQVMasnrFSugOt6HnEHV+z/b+s2VJgGzqns9bxnENa8HFWM
 ac+8tStYHI+E44R3MGJsPtk0oG7QKgZufWMihT6Jfvtig0mpeBjZ9BChyH18PmvbfWyl
 ArzSQQvfDmaVKH0EJqDdoXZBtSXlKClOwgjZkIvIBMvlEb7sL/V0bIuiF8DOoN0+J0Lj
 ffjg==
X-Gm-Message-State: AO0yUKWCNwIGeUYpt8ZfOQalJwmwO4QlNlj7cyX54Y0ELtYStREsbYCa
 Gz72F0eoxryhFduDiAxzVbedE/8aXfDzlg1HwRw=
X-Google-Smtp-Source: AK7set+/ASMw5nZlHOOYhHWerSYWu1OnFg0psoxBSiZurtUVhgliAera6R4jmnkON0d9AyDI7s2V2rAWRm1jsO+L+pM=
X-Received: by 2002:a05:6870:15d0:b0:16a:684e:4c25 with SMTP id
 k16-20020a05687015d000b0016a684e4c25mr2071853oad.199.1676183822461; Sat, 11
 Feb 2023 22:37:02 -0800 (PST)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Sun, 12 Feb 2023 06:37:01 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <E1pPF5v-0007YZ-6K@HIDDEN>
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN>
X-Hashcash: 1:20:230212:mail@HIDDEN::M7VqzmnTYD9a05eL:1chZ
MIME-Version: 1.0
Date: Sun, 12 Feb 2023 06:37:01 +0000
Message-ID: <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Richard Stallman <rms@HIDDEN> writes:

>   > In the case of a breach,
>
> Breach of precisely what?  To think about this issue
> requires an answer to that question.

The idea is that the likelihood of both an SSH and a PGP key getting
stolen at the same time is lower than either one of them getting stolen
separately.

>
>                              both the SSH and GPG keys may be stolen, which
>   > would allow an attacker to create commits on hosted repositories, such
>   > that the mechanism would not help.
>
> Is this a problem that has a solution?

Yes, for example you could you could put your PGP key (usually a subkey)
on a smartcard, and have no copy on the local filesystem.

PGP keys usually also have an additional password, in addition to the
one that developers normally (we hope) use for their SSH key.

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Daniel Mendler <mail@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sun, 12 Feb 2023 10:33:01 +0000
Resent-Message-ID: <handler.61277.B61277.167619797018511 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Stefan Kangas <stefankangas@HIDDEN>, rms@HIDDEN
Cc: 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.167619797018511
          (code B ref 61277); Sun, 12 Feb 2023 10:33:01 +0000
Received: (at 61277) by debbugs.gnu.org; 12 Feb 2023 10:32:50 +0000
Received: from localhost ([127.0.0.1]:44122 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pR9f7-0004oV-Lv
	for submit <at> debbugs.gnu.org; Sun, 12 Feb 2023 05:32:49 -0500
Received: from server.qxqx.de ([178.63.65.180]:59899 helo=mail.qxqx.de)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@HIDDEN>) id 1pR9f3-0004oG-HK
 for 61277 <at> debbugs.gnu.org; Sun, 12 Feb 2023 05:32:47 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=qxqx.de;
 s=mail1392553390; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From:
 References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=E7P3SviMwILiwXMUBUEVMX5tL/eNd6n6CxuL4/WEjnk=; b=P+eX0Jt+ynPGZMyv1/5bTYAq43
 woHSalFdH8E/byke9zMfltzIkjEji2kMzpFkpNwBar7SbBSwe/T8czC22RALuVV3hp61swEAMQ1Pt
 y5pCF3CXDS+1SuiKU2VUUaEsiom96RccXVanwR4IgS/CoznsTckzqf46IX9iEdVoE5u4=;
Message-ID: <23c855a2-4330-6da8-6a05-72f26e4ebc5b@HIDDEN>
Date: Sun, 12 Feb 2023 11:32:36 +0100
MIME-Version: 1.0
Content-Language: en-US
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN>
 <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN>
From: Daniel Mendler <mail@HIDDEN>
In-Reply-To: <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

On 2/12/23 07:37, Stefan Kangas wrote:
>> Breach of precisely what?  To think about this issue
>> requires an answer to that question.
> 
> The idea is that the likelihood of both an SSH and a PGP key getting
> stolen at the same time is lower than either one of them getting stolen
> separately.

There could also be a breach on the server where the git repository is
hosted. The repository could be manipulated directly on the server. It
is not that likely but if such incidents happen they have a huge
fallout. I also expect that more and more people move their
:auto-sync'ed git repositories to private servers or smaller forges,
which may not be as protected as the most popular ones.

Daniel

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Richard Stallman <rms@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Wed, 15 Feb 2023 05:18:02 +0000
Resent-Message-ID: <handler.61277.B61277.167643824527535 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Stefan Kangas <stefankangas@HIDDEN>
Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
Reply-To: rms@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.167643824527535
          (code B ref 61277); Wed, 15 Feb 2023 05:18:02 +0000
Received: (at 61277) by debbugs.gnu.org; 15 Feb 2023 05:17:25 +0000
Received: from localhost ([127.0.0.1]:57567 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pSAAX-0007A2-4E
	for submit <at> debbugs.gnu.org; Wed, 15 Feb 2023 00:17:25 -0500
Received: from eggs.gnu.org ([209.51.188.92]:40162)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rms@HIDDEN>) id 1pSAAU-00079m-Kf
 for 61277 <at> debbugs.gnu.org; Wed, 15 Feb 2023 00:17:23 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rms@HIDDEN>)
 id 1pSAAM-000144-L3; Wed, 15 Feb 2023 00:17:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From:
 mime-version; bh=3k+e+DICTLxSGEINru+xuINqd3cXOKffd8rU9Y07CuA=; b=mmRr+7GHQ/Eq
 rlMZ1faac7ethKq3VJxW/E3+v+Ncksp/kmoZsnko1PRG/7X3z7xHG3OQD4/wI+UN3jUI1iNFqItER
 J5DJFbG4C9OF3j7Bo8HO31tItlkx3AUXBu5XBR7yumefstJDbWilPf1t43up0o1KPA18S06nlruXe
 dmI8cCXsyeOxGdHa6/OY/uyqJL5HtZ3JHyQitHcidFdPx0h724bDbrkwkpFN0fnE5Db/h45uRqr2F
 AAwGpQ48XMLE743ZH3JSmSO+nf6vBKDpRlUTpdUf+RPJmR1oAgg3A35eK2jBpiSVbzSzka5+SKWc3
 nDUEWsvhP1ZXZbrUFizh6A==;
Received: from rms by fencepost.gnu.org with local (Exim 4.90_1)
 (envelope-from <rms@HIDDEN>)
 id 1pSAAM-0002rh-D8; Wed, 15 Feb 2023 00:17:14 -0500
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
In-Reply-To: <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN>
 (message from Stefan Kangas on Sun, 12 Feb 2023 06:37:01 +0000)
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN>
 <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN>
Message-Id: <E1pSAAM-0002rh-D8@HIDDEN>
Date: Wed, 15 Feb 2023 00:17:14 -0500
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > >   > In the case of a breach,
  > >
  > > Breach of precisely what?  To think about this issue
  > > requires an answer to that question.

  > The idea is that the likelihood of both an SSH and a PGP key getting
  > stolen at the same time is lower than either one of them getting stolen
  > separately.

That seems plausible to me, but we are miscommunicating.
You're discussing the "how" of a possible breach,
but what I really need to know is the "what".
What is being breached?  What is the context here?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Richard Stallman <rms@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Wed, 15 Feb 2023 05:18:02 +0000
Resent-Message-ID: <handler.61277.B61277.167643825127560 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Daniel Mendler <mail@HIDDEN>
Cc: 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, stefankangas@HIDDEN, monnier@HIDDEN
Reply-To: rms@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.167643825127560
          (code B ref 61277); Wed, 15 Feb 2023 05:18:02 +0000
Received: (at 61277) by debbugs.gnu.org; 15 Feb 2023 05:17:31 +0000
Received: from localhost ([127.0.0.1]:57573 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pSAAc-0007AN-FT
	for submit <at> debbugs.gnu.org; Wed, 15 Feb 2023 00:17:31 -0500
Received: from eggs.gnu.org ([209.51.188.92]:53570)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rms@HIDDEN>) id 1pSAAa-00079t-1e
 for 61277 <at> debbugs.gnu.org; Wed, 15 Feb 2023 00:17:28 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rms@HIDDEN>)
 id 1pSAAU-000155-I7; Wed, 15 Feb 2023 00:17:22 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From:
 mime-version; bh=isE/kQ+GDgG4r04BFNww8y6Hie2X/OVhW3zgWLsH3Ak=; b=fp/U6CLinJCZ
 f3y5n9bSqpXjJ3WSmDyOW6LtrQaBiauPif9g9UNAIkfDeV1Fu2gkgKApsxuUN4+7OvJ+6orqEZQmq
 o8/xvNmERKgSK6yjWharMhgloQYLQlvO3BlBd73xw8u4/XFTJxmLvVdKSq38Ycy/cQUrYOLzNGCEu
 Y1zn5PrMCUV1hznCxu+kJvGu8UZl0hFyVliTfBwIvKLQp3D7ov/74w6sXFSybkabvmkR1gy4A3nOv
 qlRq492MCBBW1gb5c6I/KA2Y4Pu9yRytU9LW6CUEX4A7GE7AONCUc3X2LlJb1aWLHvg/T8nXg7AiY
 43Zwo7JRUMG4jGfGJQ/0ew==;
Received: from rms by fencepost.gnu.org with local (Exim 4.90_1)
 (envelope-from <rms@HIDDEN>)
 id 1pSAAT-0002sj-AC; Wed, 15 Feb 2023 00:17:21 -0500
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
In-Reply-To: <23c855a2-4330-6da8-6a05-72f26e4ebc5b@HIDDEN> (message
 from Daniel Mendler on Sun, 12 Feb 2023 11:32:36 +0100)
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN>
 <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN>
 <23c855a2-4330-6da8-6a05-72f26e4ebc5b@HIDDEN>
Message-Id: <E1pSAAT-0002sj-AC@HIDDEN>
Date: Wed, 15 Feb 2023 00:17:21 -0500
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > There could also be a breach on the server where the git repository is
  > hosted. The repository could be manipulated directly on the server. It
  > is not that likely but if such incidents happen they have a huge
  > fallout. I also expect that more and more people move their
  > :auto-sync'ed git repositories to private servers or smaller forges,
  > which may not be as protected as the most popular ones.

Do we know of any security experts who appeciate the moral principles
of free software, who could help us come up with methods that properly
handle both?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Stefan Kangas <stefankangas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Wed, 15 Feb 2023 13:38:01 +0000
Resent-Message-ID: <handler.61277.B61277.16764682673440 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: rms@HIDDEN
Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.16764682673440
          (code B ref 61277); Wed, 15 Feb 2023 13:38:01 +0000
Received: (at 61277) by debbugs.gnu.org; 15 Feb 2023 13:37:47 +0000
Received: from localhost ([127.0.0.1]:58238 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pSHyk-0000tP-PE
	for submit <at> debbugs.gnu.org; Wed, 15 Feb 2023 08:37:47 -0500
Received: from mail-oa1-f44.google.com ([209.85.160.44]:44696)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1pSHyh-0000tA-4F
 for 61277 <at> debbugs.gnu.org; Wed, 15 Feb 2023 08:37:45 -0500
Received: by mail-oa1-f44.google.com with SMTP id
 586e51a60fabf-16aa71c1600so22866321fac.11
 for <61277 <at> debbugs.gnu.org>; Wed, 15 Feb 2023 05:37:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=WzkSYQZ0qSGedS1LufqJXNIEoPS3lMKvTA76R1yyFXI=;
 b=ZZ1/jI+SjKv3S+w+e+GzRo2Pg7Ya2ECjttPL35abF/oVaBOFLT+ssuPC3H+YXo2hki
 q4Bt5w8BlzpYIbxyPEUwGpxP2XkKWY51HwkrQHcQli/YDCz6marU5mTSBesPfJy967y5
 2OSdeHb18uVddtcElOoeNCDmutZ12OrZ/M+mkrkF1rrERw1qotNNh3UzYDNuQaTVgmbm
 NSixI/Tc7VxwHb9L/b5BKkDPn7zzW+LoRAeZV6AUN8TVmwAavCJBixdvG0/33HB8jpyU
 Fb/waLHqufT5TItPR1J1kmncqKuiEO6JTKW4COfq0kOKQr0kzXPq2JW6MIda5CXnd2TR
 VSuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=WzkSYQZ0qSGedS1LufqJXNIEoPS3lMKvTA76R1yyFXI=;
 b=Vx4U4MbViQ1czjxEtVLhKiKeVVIi5adOnBZFpaXOUgK5pMzJYtFUmf3O9KMW8VK0/i
 IptSUB4yhPyDP5wbPvY0gx/Hos4WIlf527nTksbJm53qU9sD1F5lBRFUfWZZPsTTCG5S
 R4xtlR0cWpJZM6FemUs99OP6g0FPdRo9pUxtGOPV0Uf+j2WBhHOzSNVlAFuzJzh550YF
 D8HSF9cMMbzr3FyKeneF6acLiumtXr4z9NsJMxbSm9ZkSNMwbvf0Bq/swigcdYcYKEkk
 tQo10XJ/hQgt0k/zBo1n5dJFwG+D2PecBFwjdtjObgF82S4R/V1NETjBwNe+9Sm1cDJE
 UgpQ==
X-Gm-Message-State: AO0yUKX69NZRadIYgc1i4qyyWP/bOB6GnQS4LWB4AQmegTnWPVNAMJgs
 BuiqZy85/+ZeItG8Td+Z04aXJ9R/GbjFu5G+C70=
X-Google-Smtp-Source: AK7set83dXjktOprQzB9ieonKKQXsQ80c5E7K9tWJGX7RDcqfmQGkCG3cm2g2AzLiSBoEQFo2EHmldxeon/YVle7sUQ=
X-Received: by 2002:a05:6870:d152:b0:16a:684e:4c25 with SMTP id
 f18-20020a056870d15200b0016a684e4c25mr276226oac.199.1676468257399; Wed, 15
 Feb 2023 05:37:37 -0800 (PST)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Wed, 15 Feb 2023 05:37:36 -0800
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <E1pSAAM-0002rh-D8@HIDDEN>
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN>
 <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN>
 <E1pSAAM-0002rh-D8@HIDDEN>
X-Hashcash: 1:20:230215:mail@HIDDEN::p2kQ5SRyHpYobTtz:61sO
MIME-Version: 1.0
Date: Wed, 15 Feb 2023 05:37:36 -0800
Message-ID: <CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Richard Stallman <rms@HIDDEN> writes:

> You're discussing the "how" of a possible breach,
> but what I really need to know is the "what".
> What is being breached?  What is the context here?

The "what" is the git repository of a GNU ELPA or NonGNU ELPA package.

If an attacker can introduce a commit containing malicious code, and
create a new git tag pointing to that commit, the GNU ELPA scripts will
fetch it, and release a new version of the package (now including the
malicious code).  By requiring tags to be cryptographically signed, we
can have a greater confidence that any new tag has at the very least
been signed off by the developer him/herself.

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Stefan Monnier <monnier@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Wed, 15 Feb 2023 16:41:02 +0000
Resent-Message-ID: <handler.61277.B61277.16764792335330 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Stefan Kangas <stefankangas@HIDDEN>
Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, rms@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.16764792335330
          (code B ref 61277); Wed, 15 Feb 2023 16:41:02 +0000
Received: (at 61277) by debbugs.gnu.org; 15 Feb 2023 16:40:33 +0000
Received: from localhost ([127.0.0.1]:33789 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pSKpd-0001Nu-C8
	for submit <at> debbugs.gnu.org; Wed, 15 Feb 2023 11:40:33 -0500
Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:16326)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <monnier@HIDDEN>) id 1pSKpY-0001Nd-PF
 for 61277 <at> debbugs.gnu.org; Wed, 15 Feb 2023 11:40:31 -0500
Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 404B980793;
 Wed, 15 Feb 2023 11:40:23 -0500 (EST)
Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id CE9718006F;
 Wed, 15 Feb 2023 11:40:21 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1676479221;
 bh=ykFgt8m7yws2mP6+HVrjRe18w9zqmkK9cmLaMUMgsmw=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=FRF/Zvpe73y46olLKMJibyajitWcxbY4pO6QRxpQt4ueIGm7abh4bq6X3tskJiJyv
 l12zYbXldTCMjoAGmy7pZOhueDrFCnfBbWwiQnpRKxVwaxNTZmGxVMD6TmSbVVim2e
 toT4KJInQZUWdVRQ+7V6Z5hkr9v0lOoKVBeGbgL8DXHyoTwxwOm6dFgRKmiUHy33t/
 29OZW9kr9qhy+cfw/RbUx2sEwdrwbKI4lEVR/ZgOFWdbWg3VBg1tgtsDm5m9ZeTIQk
 fQfUZIt62U9trywD3mnymwilQTUHP5NcVXtnpmCoM/ETUenlzp9kC7IqfEZJNczujc
 he7ilcrjcnS5w==
Received: from ceviche (unknown [45.44.229.252])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id AF9EE122528;
 Wed, 15 Feb 2023 11:40:21 -0500 (EST)
From: Stefan Monnier <monnier@HIDDEN>
In-Reply-To: <CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@HIDDEN>
 (Stefan Kangas's message of "Wed, 15 Feb 2023 05:37:36 -0800")
Message-ID: <jwvsff66fyw.fsf-monnier+emacs@HIDDEN>
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN>
 <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN>
 <E1pSAAM-0002rh-D8@HIDDEN>
 <CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@HIDDEN>
Date: Wed, 15 Feb 2023 11:40:20 -0500
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-SPAM-INFO: Spam detection results:  0
 ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
 AWL 0.182 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DKIM_SIGNED               0.1 Message has a DKIM or DK signature,
 not necessarily valid
 DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
 DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's
 domain
X-SPAM-LEVEL: 
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> If an attacker can introduce a commit containing malicious code, and
> create a new git tag pointing to that commit, the GNU ELPA scripts will
> fetch it, and release a new version of the package (now including the
> malicious code).  By requiring tags to be cryptographically signed, we
> can have a greater confidence that any new tag has at the very least
> been signed off by the developer him/herself.

Technical nitpick: currently, the elpa.gnu.org scripts do not pay
attention to any Git tags (signed or not) to do their work.  We only use
the commits and their contents/history.


        Stefan

Message sent to bug-gnu-emacs@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Resent-From: Richard Stallman <rms@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sun, 26 Feb 2023 03:00:03 +0000
Resent-Message-ID: <handler.61277.B61277.16773804029335 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Stefan Kangas <stefankangas@HIDDEN>
Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
Reply-To: rms@HIDDEN
Received: via spool by 61277-submit <at> debbugs.gnu.org id=B61277.16773804029335
          (code B ref 61277); Sun, 26 Feb 2023 03:00:03 +0000
Received: (at 61277) by debbugs.gnu.org; 26 Feb 2023 03:00:02 +0000
Received: from localhost ([127.0.0.1]:42040 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pW7Gb-0002QK-Vr
	for submit <at> debbugs.gnu.org; Sat, 25 Feb 2023 22:00:02 -0500
Received: from eggs.gnu.org ([209.51.188.92]:48358)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rms@HIDDEN>) id 1pW7GS-0002PK-Us
 for 61277 <at> debbugs.gnu.org; Sat, 25 Feb 2023 21:59:53 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rms@HIDDEN>)
 id 1pW7GM-0008MB-Bh; Sat, 25 Feb 2023 21:59:46 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From:
 mime-version; bh=ul2ACyZlXEvNikot5yngKC+47UdwfFG5Fd57KRXurYQ=; b=PUD59ky5INVH
 iZK2iBLRJrlMyCcjpx0Xz/ZxXFJmsB1eTPGYKuMGqQdwyWKrQcPysrKk7GcyMqZzr2xzCpUnyW+x+
 HnAT83tHNiRvTsrDVsJg3v5rq4yDyz7LsaRLUxMk+nIxo1UMB+IA9ADeCzV6x8+o4QaQo+IB0NaiZ
 eo8kzJPwleEHUGFoL+pf1kM9iTWUK9SmM31LEpu2H7blV/7WufbxV+2UxdSdMJvdF1f755gb9mrti
 8MT1tuMVK+D1uQDPDPtZYOJnvavwr+RTjroto2yqbEOstxdz66ucVQ9OUmXum5UrJ2ArT+4TKhEdg
 rNhlnLa8Aho4SshmlLDnfw==;
Received: from rms by fencepost.gnu.org with local (Exim 4.90_1)
 (envelope-from <rms@HIDDEN>)
 id 1pW7GL-0007zb-WE; Sat, 25 Feb 2023 21:59:46 -0500
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
In-Reply-To: <CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@HIDDEN>
 (message from Stefan Kangas on Wed, 15 Feb 2023 05:37:36 -0800)
References: <87pmapqoo5.fsf@HIDDEN>
 <E1pPF5v-0007YZ-6K@HIDDEN>
 <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN>
 <E1pSAAM-0002rh-D8@HIDDEN>
 <CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@HIDDEN>
Message-Id: <E1pW7GL-0007zb-WE@HIDDEN>
Date: Sat, 25 Feb 2023 21:59:45 -0500
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Please forgive my delay in replying.

  > If an attacker can introduce a commit containing malicious code, and
  > create a new git tag pointing to that commit, the GNU ELPA scripts will
  > fetch it, and release a new version of the package (now including the
  > malicious code).  By requiring tags to be cryptographically signed, we
  > can have a greater confidence that any new tag has at the very least
  > been signed off by the developer him/herself.

This seems wise to me.  Does anyone have arguments against?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Message received at control <at> debbugs.gnu.org:


Received: (at control) by debbugs.gnu.org; 4 Sep 2023 09:07:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Sep 04 05:07:21 2023
Received: from localhost ([127.0.0.1]:48678 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qd5YH-0006K0-7d
	for submit <at> debbugs.gnu.org; Mon, 04 Sep 2023 05:07:21 -0400
Received: from mail-lf1-x130.google.com ([2a00:1450:4864:20::130]:45388)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1qd5YC-0006JZ-Ra
 for control <at> debbugs.gnu.org; Mon, 04 Sep 2023 05:07:19 -0400
Received: by mail-lf1-x130.google.com with SMTP id
 2adb3069b0e04-4ff9b389677so1846623e87.3
 for <control <at> debbugs.gnu.org>; Mon, 04 Sep 2023 02:07:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1693818431; x=1694423231; darn=debbugs.gnu.org;
 h=to:subject:message-id:date:mime-version:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=442AexJzMgsO0eD0BwAEpDO2omGSdaRad4rh7i1XEyY=;
 b=RZruxgF17aYH8haboqJv7Pp6nOXEB9mj6IWmr37E6ubuG62e1opNXIGRihY3dMnwYi
 SV9XG2RuC9nM0Agu5g/8x/1REKDEpuOhftMbcSBgXfLUbv7lIuN9NIdTCF3ng/kkZAH9
 d5YvQRr8IHzO/nk1jeeOiFZDmJQa6bspz2G5YTWpNlqAqJOosmiLx/DeUsT1iO19goqM
 4V5zRRFHZf+gfU9Toh2+GUvotv/rvjaWwdsS6W9H+E/Af8LdJ2TuqOjyc0jd3ZUxG1V9
 Li8vqzlsgfekK+Ct0PaHOia2YCVHSq5Xoxx5pH4TRXoY156O5Vx2dthM3hKvKNI4Jasm
 I21Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1693818431; x=1694423231;
 h=to:subject:message-id:date:mime-version:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=442AexJzMgsO0eD0BwAEpDO2omGSdaRad4rh7i1XEyY=;
 b=Mbnde5+6xiHlzYBJ3whwucSO7NgNEoG1NijLLrvbnRqu4adrRYomd4+KsHSz3cIfoF
 qU5FhmxSD5SuDH31ep/3g8Yqowuctx9qrNwmAdnFltxXxvrgNvPchJqGbDmE18+9uVbJ
 N1o9i8AqDaALq7pK8naCsTwjGmBi9Ldm74FEV/OrNLE6+dXa6WqVBvdeUkEt7EbBMFfv
 Jfwf3uaACZzJlXRJgqgNM5BrGA1uDwdTaFAeV0t7xsGdGW0xXZ40hAQRf0lAxvoM2Fsj
 8b4yQe+jzSLcW350Obk+ub7yw0xKOOiYVwz3Rkvw2IA1RI5Yba0nETocumYRpQXzDJ+S
 aIbQ==
X-Gm-Message-State: AOJu0YwL8IJmZ2CZqJOkhjwGzJnFhAnuXZ1pHOLMv/LuGr6/RdAUK/nM
 m7Jln/OUEhgAmIz5t3Q1MGIiEaijBwZn/NAZLt2KWlSZgBY=
X-Google-Smtp-Source: AGHT+IGIZkP5gzMfDUv+UANOJcKKEbQ6HvqNL2FbYrqfTv4y199UnyxfZbBQkRrVVMhfmAC50uddQSOKO3bfY4s1baM=
X-Received: by 2002:a05:6512:68d:b0:500:a6c1:36f7 with SMTP id
 t13-20020a056512068d00b00500a6c136f7mr7427774lfe.3.1693818430968; Mon, 04 Sep
 2023 02:07:10 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 4 Sep 2023 02:07:10 -0700
From: Stefan Kangas <stefankangas@HIDDEN>
MIME-Version: 1.0
Date: Mon, 4 Sep 2023 02:07:10 -0700
Message-ID: <CADwFkmmO+ijDGRBVZ5schz7ENbEKpU3wX5Y7QVHQ2D9fjpWxAg@HIDDEN>
Subject: control message for bug #61277
To: control <at> debbugs.gnu.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

tags 61277 + security
quit
Last modified: Mon, 4 Sep 2023 09:15:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.