GNU bug report logs -
#66369
Change package-check-signature default to t
Previous Next
To reply to this bug, email your comments to 66369 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#66369; Package
emacs.
(Fri, 06 Oct 2023 09:34:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Stefan Kangas <stefankangas <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Fri, 06 Oct 2023 09:34:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Severity: wishlist
I propose to change the default of `package-check-signature' to t when
gpg is available.
Previous discussion here:
https://lists.gnu.org/r/emacs-devel/2023-02/msg00680.html
The current default is `allow-unsigned', which is about as useful for
security purposes as if it was nil. But if the default is t, users will
be forced to have OpenPGP installed.
In the above discussion, Eli suggested:
> We could also display a warning, once, when we detect that OpenPGP is
> not available and set the value to allow-unsigned. This way the user
> is alerted to the problem and can take action to fix it.
I'd add that we could also prompt in this situation, perhaps something
along the lines of:
"No working PGP installation detected; install package(s) without
verifying signature (unsafe)? (y/n)"
This bug report was last modified 1 year and 82 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.