X-Loop: help-debbugs@HIDDEN
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Resent-From: Stefan Kangas <stefankangas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: monnier@HIDDEN, philipk@HIDDEN, yantar92@HIDDEN, bug-gnu-emacs@HIDDEN
Resent-Date: Mon, 09 Oct 2023 07:17:02 +0000
Resent-Message-ID: <handler.66414.B.16968357859251 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 66414
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords:
To: 66414 <at> debbugs.gnu.org
Cc: monnier@HIDDEN, philipk@HIDDEN, yantar92@HIDDEN
X-Debbugs-Original-To: bug-gnu-emacs@HIDDEN
X-Debbugs-Original-Xcc: monnier@HIDDEN, philipk@HIDDEN, yantar92@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.16968357859251
(code B ref -1); Mon, 09 Oct 2023 07:17:02 +0000
Received: (at submit) by debbugs.gnu.org; 9 Oct 2023 07:16:25 +0000
Received: from localhost ([127.0.0.1]:59098 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qpkV7-0002P9-12
for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 03:16:25 -0400
Received: from lists.gnu.org ([2001:470:142::17]:50738)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <stefankangas@HIDDEN>) id 1qpkV5-0002Of-Lq
for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 03:16:24 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <stefankangas@HIDDEN>)
id 1qpkUc-0007UB-ED
for bug-gnu-emacs@HIDDEN; Mon, 09 Oct 2023 03:15:56 -0400
Received: from mail-lf1-x134.google.com ([2a00:1450:4864:20::134])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.90_1) (envelope-from <stefankangas@HIDDEN>)
id 1qpkUY-0003Bx-2K
for bug-gnu-emacs@HIDDEN; Mon, 09 Oct 2023 03:15:52 -0400
Received: by mail-lf1-x134.google.com with SMTP id
2adb3069b0e04-50585357903so5502701e87.2
for <bug-gnu-emacs@HIDDEN>; Mon, 09 Oct 2023 00:15:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1696835748; x=1697440548; darn=gnu.org;
h=to:subject:message-id:date:mime-version:from:from:to:cc:subject
:date:message-id:reply-to;
bh=w+AI7FVCAzqaPxR1I6O0GDlT+eny6jEEnRuQnoo9lKk=;
b=Kc+zqp9SxoEvp2qzSmOpGs4fgHs3ZUCnzBWlBFIaCSpxxG/zSNyplNqj020b1lBu0f
lMH/sUTfdbq+jKs2CzJFOfcq/qWsl3Ltyp/Z/cszmiQmDIaLiuPokQVFgknkNCmJ44eu
xlJFpJKLzVmY2a90QsW0pWZN0cmYMK+JHhReQ91N2uM+wb+j/gzYlNhTKGI7EIgBEqiN
K6bNx7OI7ws+czhlJYJA2RWOzH+rlC1ZYkDv+vR8dWka+bcVCgg5oiTycgGb8J9mro/1
/QAi5FIFYO6Yt/Z8ycNHTy2V9gTy0jiFM7IEKklUuCkukar7Rz4ARggf6UezggaMj/Ou
ykkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1696835748; x=1697440548;
h=to:subject:message-id:date:mime-version:from:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=w+AI7FVCAzqaPxR1I6O0GDlT+eny6jEEnRuQnoo9lKk=;
b=EYeRmgNJ7gZs4EH2pQX6KVXXfUpnvboeI0UM4RT5tvBxRRMyOxdQrdAj+lM14ZqyrC
XZ7bX7YW+XOXeaUgCewASQBBBB529+V+D+L1fd2cq6m0iH3XYKaSlHW9xvULiz3Ib72b
+2Zw0R4IGIK/3JlYZVUIvHTSxi8djLHolfXHv38Vs0AFDm+R/+ts8UsyAqnIgYoCM4Cr
2Zwvq2zz02UGbGtN676mZK/eGAOl1tO0T5c+jcMhcADpbn9WKbSKP6xYY00UNX+H4SaU
qgvnmLV3dmSAKJ6EvSuGThTyFQkuu7vByZaj3scuXHF6MAldGdcTNH7mMZDOMIkgOTvb
YgdA==
X-Gm-Message-State: AOJu0YxsmaKukBjhp5HbntTfQQH/O3FytqwTvQJRYHjfWg84keYpc/x6
8vsdLcagjVL0q28nXjiJSYCtJIqYV03zGxbZFdq1lUNRuco=
X-Google-Smtp-Source: AGHT+IFpIvgePP61j0BZ8HPLvVIfwxxQKHXf7WaMmip4XCYqbUhFhOqGMTRTm6HKxlKg24IdSGv4TIHxyBr5yimVs1A=
X-Received: by 2002:a19:6452:0:b0:500:a08e:2fd3 with SMTP id
b18-20020a196452000000b00500a08e2fd3mr10684899lfj.21.1696835747825; Mon, 09
Oct 2023 00:15:47 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
HTTPREST; Mon, 9 Oct 2023 07:15:47 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
MIME-Version: 1.0
Date: Mon, 9 Oct 2023 07:15:47 +0000
Message-ID: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=2a00:1450:4864:20::134;
envelope-from=stefankangas@HIDDEN; helo=mail-lf1-x134.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)
Severity: wishlist
I propose optionally releasing a new version of packages on
NonGNU/GNU ELPA only if there is a valid PGP signature. We can't make
it mandatory, at the very least not initially, because it would break
too many existing workflows.
The standard feature to do that in git would be a signed git tag.
However, (Non-)GNU ELPA currently rebuilds package tarballs every time
the "Version" comment header is updated, while git tags are ignored.
Forwarded from
https://lists.gnu.org/r/emacs-devel/2023-02/msg00120.html
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Stefan Kangas <stefankangas@HIDDEN> Subject: bug#66414: Acknowledgement (GNU ELPA: Require signed tags to release new package versions) Message-ID: <handler.66414.B.16968357859251.ack <at> debbugs.gnu.org> References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN> X-Gnu-PR-Message: ack 66414 X-Gnu-PR-Package: emacs Reply-To: 66414 <at> debbugs.gnu.org Date: Mon, 09 Oct 2023 07:17:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. As you requested using X-Debbugs-CC, your message was also forwarded to monnier@HIDDEN, philipk@HIDDEN, yantar92@HIDDEN (after having been given a bug report number, if it did not have one). Your message has been sent to the package maintainer(s): bug-gnu-emacs@HIDDEN If you wish to submit further information on this problem, please send it to 66414 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 66414: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D66414 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Resent-From: Eshel Yaron <me@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Mon, 09 Oct 2023 08:34:02 +0000
Resent-Message-ID: <handler.66414.B66414.169684038619315 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 66414
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords:
To: Stefan Kangas <stefankangas@HIDDEN>
Cc: 66414 <at> debbugs.gnu.org, philipk@HIDDEN, yantar92@HIDDEN, monnier@HIDDEN
Received: via spool by 66414-submit <at> debbugs.gnu.org id=B66414.169684038619315
(code B ref 66414); Mon, 09 Oct 2023 08:34:02 +0000
Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 08:33:06 +0000
Received: from localhost ([127.0.0.1]:59229 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qplhK-00051T-2G
for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 04:33:06 -0400
Received: from mail.eshelyaron.com ([107.175.124.16]:48412 helo=eshelyaron.com)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <me@HIDDEN>) id 1qplhI-00051H-Rd
for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 04:33:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=eshelyaron.com;
s=mail; t=1696840363;
bh=u4axu8Sv/1wf1qM3LHVAosjOsTnmkDlgNmfQOn7zKis=;
h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
b=DWB0meyDCuwNRpWZ47ync4dQD4g/VEEdv1T+8zJpRaMXnZZjxDNTS1TjkcuJMBsRO
JtLX3lzTJAiE0r3sMV+A2YpyLmgS0BvX58u8O69fxo4u0YEBwfraOs8Yqp8Ren3Fiq
O772zV0kGeDxCMWUb0Em6g0Byo7TsZQRGIlgiaKmj4TQlroxRCq7XOh4DXhvA+pc0D
tm/l3LDACB7S6kdfn6ePJhRfNPiRXsOMPpzDT+LUFo/d8c+J3Qb+TOXH2JmrTmZkw4
vl+cy0IL3gzkP9w3QjujXUGk+e93Ym7bbmLC2gq+MKFCueTHdBgPy8tYuEtCp2I0+R
a1qNXHRq5O8NA==
From: Eshel Yaron <me@HIDDEN>
In-Reply-To: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
(Stefan Kangas's message of "Mon, 9 Oct 2023 07:15:47 +0000")
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
Date: Mon, 09 Oct 2023 10:32:41 +0200
Message-ID: <m1mswsi4ba.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hi,
Stefan Kangas <stefankangas@HIDDEN> writes:
> Severity: wishlist
>
> I propose optionally releasing a new version of packages on
> NonGNU/GNU ELPA only if there is a valid PGP signature. We can't make
> it mandatory, at the very least not initially, because it would break
> too many existing workflows.
>
Do I understand correctly that under this proposal package
authors/maintainers would need to opt-in to such signature validation?
Another option that might be worth considering is to continue releasing
packages, with or without a valid signature, and instead to indicate the
absence or invalidity of a signature in the packages list and in other
package.el commands. This has the benefit of requiring nothing from
package maintainers while creating a clear incentive to add those
signatures, and it would also give users the chance to employ their
personal judgment on case-by-case basis. OTOH There are many cases to
consider, such as what happens when a user wants to upgrade a signed
package but the newer version is unsigned.
> The standard feature to do that in git would be a signed git tag.
> However, (Non-)GNU ELPA currently rebuilds package tarballs every time
> the "Version" comment header is updated, while git tags are ignored.
>
> Forwarded from
>
> https://lists.gnu.org/r/emacs-devel/2023-02/msg00120.html
X-Loop: help-debbugs@HIDDEN
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Resent-From: Stefan Kangas <stefankangas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Mon, 09 Oct 2023 08:39:01 +0000
Resent-Message-ID: <handler.66414.B66414.169684068320001 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 66414
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords:
To: Eshel Yaron <me@HIDDEN>
Cc: 66414 <at> debbugs.gnu.org, philipk@HIDDEN, yantar92@HIDDEN, monnier@HIDDEN
Received: via spool by 66414-submit <at> debbugs.gnu.org id=B66414.169684068320001
(code B ref 66414); Mon, 09 Oct 2023 08:39:01 +0000
Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 08:38:03 +0000
Received: from localhost ([127.0.0.1]:59233 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qplm6-0005CX-Qt
for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 04:38:03 -0400
Received: from mail-lf1-x12d.google.com ([2a00:1450:4864:20::12d]:59842)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <stefankangas@HIDDEN>) id 1qplm4-0005C2-Mi
for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 04:38:01 -0400
Received: by mail-lf1-x12d.google.com with SMTP id
2adb3069b0e04-50337b43ee6so5412745e87.3
for <66414 <at> debbugs.gnu.org>; Mon, 09 Oct 2023 01:37:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1696840654; x=1697445454; darn=debbugs.gnu.org;
h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
:from:from:to:cc:subject:date:message-id:reply-to;
bh=12byguwqxAFLZNypl7Sou0RI/p0U4RIyXybrt8G3qaQ=;
b=EfPpyYFQhzDaCMC0WwdlpECyjAi6nF3x3+5JaVGnAfwxp0X6vEJZwk+czQYmZHvdQu
ggfNQQXsxdpM4pBtfCk8zZhdUkGAC1Qc50qPeWRWZ7HsPaAZyih1EHl9oT/QqeBRzAke
1pTraIXM2T2Xt60MD5dKXheV/3qhFtNUAh2ucRvkAamARHWV2gTOzybVaTN+Xir83yS8
P+ZuDbT+Od+Asv5RpTLaJbG/8jkEFoIL11R/pTDWGvQEzC/zhE2hWFUZbHfxJKcY0Sn7
11xs2gdzQFtwv0fRWmGlfA2WrVPLcWFGgGVJ0yrXcKQX2jNtEEMMBNmbrr/kX5cuLMrI
m1Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1696840654; x=1697445454;
h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=12byguwqxAFLZNypl7Sou0RI/p0U4RIyXybrt8G3qaQ=;
b=FDwjkG2oCSdCoSn1bD0KjNuCMQYkkmXZTYbhpkyQDBh2eyRf4rxLNFPcSO/sgZx35F
ztIILC5GUYBQZqc9tnZFTv7Apqz/1K6I8dOjnRtMKbh2UaRYecu9VsBQffUnqVrEw8A+
gcmovaesXAfG6HNFEwLa4MmSjuQn6Mpc4fdcTM1mhm58R0QFKibBxAHDrXMRX0THo98G
jkcAmqjAh1Iw7swTnALqLsFwbCGF6QvoFFDk1Lqbnfp223/i/sslgZR+K04xp6S5CQgI
cQG2RhDIXDBLD9irEEUqM9aurwAT0H6gXQb2iLnvZr6mPz9QU0S4k+oKP760sHEQNGVp
0DSQ==
X-Gm-Message-State: AOJu0Yx27UglxJKDruCZhega0NGn5tojJuhcHu/nvDNVaUTrI1QYn3oJ
/Qr9WD3FXUBLLPhD2pxDz016PbWoV7stcGL5WXA=
X-Google-Smtp-Source: AGHT+IFK3Q4qCwSHpQb71kf2HsXhYFl105zezOiyQRnVatp/Wr+UgPw68ddNQMRtGzuTaGaB0nPZ3qEN/5lQK6YUi6o=
X-Received: by 2002:a19:ee17:0:b0:503:2891:444d with SMTP id
g23-20020a19ee17000000b005032891444dmr10873809lfb.64.1696840653822; Mon, 09
Oct 2023 01:37:33 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
HTTPREST; Mon, 9 Oct 2023 08:37:33 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <m1mswsi4ba.fsf@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
<m1mswsi4ba.fsf@HIDDEN>
MIME-Version: 1.0
Date: Mon, 9 Oct 2023 08:37:33 +0000
Message-ID: <CADwFkmmyTVmyErUadcooHJq4G5Siv_H6_by5VBqH7SEzRqmWnA@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Eshel Yaron <me@HIDDEN> writes:
> Do I understand correctly that under this proposal package
> authors/maintainers would need to opt-in to such signature validation?
Yes.
> Another option that might be worth considering is to continue releasing
> packages, with or without a valid signature, and instead to indicate the
> absence or invalidity of a signature in the packages list and in other
> package.el commands.
Yes, something like that is what I had in mind.
X-Loop: help-debbugs@HIDDEN
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Resent-From: Philip Kaludercic <philipk@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Mon, 09 Oct 2023 09:02:01 +0000
Resent-Message-ID: <handler.66414.B66414.169684212023156 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 66414
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords:
To: Stefan Kangas <stefankangas@HIDDEN>
Cc: 66414 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
Received: via spool by 66414-submit <at> debbugs.gnu.org id=B66414.169684212023156
(code B ref 66414); Mon, 09 Oct 2023 09:02:01 +0000
Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 09:02:00 +0000
Received: from localhost ([127.0.0.1]:59271 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qpm9I-00061Q-G3
for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:02:00 -0400
Received: from mout01.posteo.de ([185.67.36.65]:53253)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <philipk@HIDDEN>) id 1qpm9G-000619-0m
for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:01:59 -0400
Received: from submission (posteo.de [185.67.36.169])
by mout01.posteo.de (Postfix) with ESMTPS id 50249240028
for <66414 <at> debbugs.gnu.org>; Mon, 9 Oct 2023 11:01:31 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
t=1696842091; bh=uzT/lCVtBzzYUeC83PdPe3eekW1TSMaWU1yFPQSvhe4=;
h=From:To:Cc:Subject:Autocrypt:Date:Message-ID:MIME-Version:From;
b=C1lhGO/ScUwNzgkMUDyDzPPpeXogn+55kEqZxgRUmBxJjT90XMCjURWnoRPF8Tb1j
7Xj1DRdfDQglGQYVg6ErK+fT5S02jGg9ddxcGEZ8xERignHqM0orlAXO1F44j1SQcf
ONaBnRCvlJI6G4G7HhuTjgnN13LkfGIzPXEK2jJ1X69pqUcKLGHnbgUxf0CMg9TP1V
6+jTjePaMPcT+CB8mb6AMd0wlN/HwzyrTXKgujTxEi4D1ackxetWlQfHAA77u4sHE+
ZREpD0byB8+n8jKK+lLlUmmdTn/mgH67UZ7hfLawO9idFGURnjt3OJYIRRR3b/BdAq
GLxsFg6Y+vPXg==
Received: from customer (localhost [127.0.0.1])
by submission (posteo.de) with ESMTPSA id 4S3tLf2Bs2z6tsg;
Mon, 9 Oct 2023 11:01:30 +0200 (CEST)
From: Philip Kaludercic <philipk@HIDDEN>
In-Reply-To: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
(Stefan Kangas's message of "Mon, 9 Oct 2023 07:15:47 +0000")
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
Autocrypt: addr=philipk@HIDDEN; keydata=
mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo
aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0
ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0
mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB
BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE
Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK
NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof
z4oM
Date: Mon, 09 Oct 2023 09:01:29 +0000
Message-ID: <871qe4maom.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Stefan Kangas <stefankangas@HIDDEN> writes:
> Severity: wishlist
>
> I propose optionally releasing a new version of packages on
> NonGNU/GNU ELPA only if there is a valid PGP signature. We can't make
> it mandatory, at the very least not initially, because it would break
> too many existing workflows.
I am not sure what the context here is, so sorry for the potentially
stupid question, but what PGP signatures are we talking about? Are you
suggesting that the commit should be signed?
> The standard feature to do that in git would be a signed git tag.
> However, (Non-)GNU ELPA currently rebuilds package tarballs every time
> the "Version" comment header is updated, while git tags are ignored.
>
> Forwarded from
>
> https://lists.gnu.org/r/emacs-devel/2023-02/msg00120.html
X-Loop: help-debbugs@HIDDEN
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Resent-From: Stefan Kangas <stefankangas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Mon, 09 Oct 2023 09:31:02 +0000
Resent-Message-ID: <handler.66414.B66414.169684385126801 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 66414
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords:
To: Philip Kaludercic <philipk@HIDDEN>
Cc: 66414 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
Received: via spool by 66414-submit <at> debbugs.gnu.org id=B66414.169684385126801
(code B ref 66414); Mon, 09 Oct 2023 09:31:02 +0000
Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 09:30:51 +0000
Received: from localhost ([127.0.0.1]:59297 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qpmbC-0006yD-Oj
for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:30:51 -0400
Received: from mail-lf1-x12c.google.com ([2a00:1450:4864:20::12c]:53620)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <stefankangas@HIDDEN>) id 1qpmbA-0006xx-42
for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:30:49 -0400
Received: by mail-lf1-x12c.google.com with SMTP id
2adb3069b0e04-504a7f9204eso5137687e87.3
for <66414 <at> debbugs.gnu.org>; Mon, 09 Oct 2023 02:30:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1696843821; x=1697448621; darn=debbugs.gnu.org;
h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
:from:from:to:cc:subject:date:message-id:reply-to;
bh=+laP9NlATzCDNiJji4fpS65FO5yRYzXeWg4yEGfuQEc=;
b=KiACJk8nM+XM3Upta6rElqeuS4LyYRX0zebO7EyR0E1Y8ZW49/3Itn0vjxrA6i6C1M
qCj17tzUXBpi4J5/2Un2oHEcdPpqAkzP4vXnBGOFlC79+8/i8zXPG6GuPqST5n3URxyK
0U/U0oA4nduxrj9idwh+mHA9GrZ5flA6dj/PWpKRF7EBGVwEta9pq+KyuyONCLcPBgtI
3HF8J7axMhMiyz9l+gfSvzphTkkDhjvA7+WuLr4Qdwn++39UNCy8Fjo8Sdc7P3avDS5Q
xiajjchijePFHVR/0EzARtR+BxHb4jT+Ou9df2mwOAcn1PCjGI9UUUK7ElLSeUkyhjC6
KCkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1696843821; x=1697448621;
h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=+laP9NlATzCDNiJji4fpS65FO5yRYzXeWg4yEGfuQEc=;
b=iutjEXggcB27a++vMhe4m9DJcYtT3NrCrNsHVV/l/dPTWzsQYUWlHRaLodOZhJuzBq
Ija/1W62nbRIntAq0CBmu2kEjO5awZNS6s1Q9+hnZ/KN7PmZl91s6ndk/Fns3oEceic6
oE+qUEquPsGtlI+TFj/awh0Un5tmeBeZ7upgNwaH7ZmUc03d6aknfL/k5vI9vN+zF4/p
1CCWaZjakim8SPpu7f97EEZkuY1uWy7+bATfCSrHZdz2WyANX1ADFJGN5lz1R14zEFIj
DPfZHsnLa/RD7+1379gbnpCXzMi1CPNKI9aoSB2Irqci48vIfpQKQzyIm5+lwNLgg0O6
0niA==
X-Gm-Message-State: AOJu0Yyo3emEt+F2tRNGILnOPr/3FrZ4UJaUowT/yPET1IDGCI1QqlMH
B86dDn7mKIBNbY0Fdrpz24X2ZPVMxbryWqo7pso=
X-Google-Smtp-Source: AGHT+IGudICwLt00ivGNf310HcZRUFhCl8qhh20QxWiLLlLHVMeOGFN85/Km6HtZvIAdrhchclYz7X8mVavrcRrwUDo=
X-Received: by 2002:a05:6512:2396:b0:500:8fcd:c3b5 with SMTP id
c22-20020a056512239600b005008fcdc3b5mr17140721lfv.12.1696843820961; Mon, 09
Oct 2023 02:30:20 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
HTTPREST; Mon, 9 Oct 2023 09:30:20 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <871qe4maom.fsf@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
<871qe4maom.fsf@HIDDEN>
MIME-Version: 1.0
Date: Mon, 9 Oct 2023 09:30:20 +0000
Message-ID: <CADwFkmme54GxDz+qR-cZZH0EemB7r1y1A1a5J2qXo4qF1rTDZg@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Philip Kaludercic <philipk@HIDDEN> writes:
> Stefan Kangas <stefankangas@HIDDEN> writes:
>
>> Severity: wishlist
>>
>> I propose optionally releasing a new version of packages on
>> NonGNU/GNU ELPA only if there is a valid PGP signature. We can't make
>> it mandatory, at the very least not initially, because it would break
>> too many existing workflows.
>
> I am not sure what the context here is, so sorry for the potentially
> stupid question, but what PGP signatures are we talking about? Are you
> suggesting that the commit should be signed?
Yes, see the very next sentence:
>> The standard feature to do that in git would be a signed git tag.
Sorry for not being more clear.
X-Loop: help-debbugs@HIDDEN
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Resent-From: Philip Kaludercic <philipk@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Mon, 09 Oct 2023 09:40:01 +0000
Resent-Message-ID: <handler.66414.B66414.169684437927607 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 66414
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords:
To: Stefan Kangas <stefankangas@HIDDEN>
Cc: 66414 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
Received: via spool by 66414-submit <at> debbugs.gnu.org id=B66414.169684437927607
(code B ref 66414); Mon, 09 Oct 2023 09:40:01 +0000
Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 09:39:39 +0000
Received: from localhost ([127.0.0.1]:59309 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qpmji-0007BD-K7
for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:39:38 -0400
Received: from mout02.posteo.de ([185.67.36.66]:49361)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <philipk@HIDDEN>) id 1qpmjg-0007Az-EY
for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:39:37 -0400
Received: from submission (posteo.de [185.67.36.169])
by mout02.posteo.de (Postfix) with ESMTPS id B958E240105
for <66414 <at> debbugs.gnu.org>; Mon, 9 Oct 2023 11:39:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
t=1696844349; bh=ynrEDgBowzz3ynPKxc9vjLNYoo4OqlvEqjD2xoAX8Ig=;
h=From:To:Cc:Subject:Autocrypt:Date:Message-ID:MIME-Version:From;
b=CaJhIljWg2KPJnz4Q9jcBv0utNNmnu9ttoxoDPlxxrzB5jZN4O/xKiUYekBA7CDEx
jNPgIT11ETDC61AC8NWGlOkD7rhiWBrM0k+vVpuLhTxzOqTu7wg/GvJNuwMYOE29gh
Pgbk8KBQKXEPB8ISIDZdeV8CNNLHTdZAAdjcPpwDtATyapBTHNrnSKszAoFrrRV2Fg
GL5vctI5JPlEdKqMTrE54ZCh/UGTcDE1hk9GvTyDQ4iLOZgAcU8FrkJdyBKQXN8RTv
L2PaNhqgczIJ6wz+DcU3X8VI3U9UysjE3wixrqfemE06WndA+L3sNBw/ZZPQoN9aPQ
gRpNZqrtSprOg==
Received: from customer (localhost [127.0.0.1])
by submission (posteo.de) with ESMTPSA id 4S3vB45hHFz6tvx;
Mon, 9 Oct 2023 11:39:08 +0200 (CEST)
From: Philip Kaludercic <philipk@HIDDEN>
In-Reply-To: <CADwFkmme54GxDz+qR-cZZH0EemB7r1y1A1a5J2qXo4qF1rTDZg@HIDDEN>
(Stefan Kangas's message of "Mon, 9 Oct 2023 09:30:20 +0000")
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
<871qe4maom.fsf@HIDDEN>
<CADwFkmme54GxDz+qR-cZZH0EemB7r1y1A1a5J2qXo4qF1rTDZg@HIDDEN>
Autocrypt: addr=philipk@HIDDEN; keydata=
mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo
aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0
ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0
mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB
BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE
Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK
NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof
z4oM
Date: Mon, 09 Oct 2023 09:39:08 +0000
Message-ID: <87r0m4kudf.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Stefan Kangas <stefankangas@HIDDEN> writes:
> Philip Kaludercic <philipk@HIDDEN> writes:
>
>> Stefan Kangas <stefankangas@HIDDEN> writes:
>>
>>> Severity: wishlist
>>>
>>> I propose optionally releasing a new version of packages on
>>> NonGNU/GNU ELPA only if there is a valid PGP signature. We can't make
>>> it mandatory, at the very least not initially, because it would break
>>> too many existing workflows.
>>
>> I am not sure what the context here is, so sorry for the potentially
>> stupid question, but what PGP signatures are we talking about? Are you
>> suggesting that the commit should be signed?
>
> Yes, see the very next sentence:
>
>>> The standard feature to do that in git would be a signed git tag.
>
> Sorry for not being more clear.
No, my bad. I didn't know that git tags could be signed, so I misread
the sentence.
One issue might be that elpa-admin.el doesn't really do anything with
git tags, though I guess it should be possible to verify a remote git
tag? An alternative might be to check for signed git commits, at the
very least for the commits that bump the version tag. That way all the
could be kept in elpa.git.
X-Loop: help-debbugs@HIDDEN
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Resent-From: Stefan Kangas <stefankangas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Mon, 09 Oct 2023 09:45:02 +0000
Resent-Message-ID: <handler.66414.B66414.169684470128118 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 66414
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords:
To: Philip Kaludercic <philipk@HIDDEN>
Cc: 66414 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
Received: via spool by 66414-submit <at> debbugs.gnu.org id=B66414.169684470128118
(code B ref 66414); Mon, 09 Oct 2023 09:45:02 +0000
Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 09:45:01 +0000
Received: from localhost ([127.0.0.1]:59319 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qpmou-0007JS-By
for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:45:01 -0400
Received: from mail-lf1-x12e.google.com ([2a00:1450:4864:20::12e]:46302)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <stefankangas@HIDDEN>) id 1qpmon-0007Iz-3I
for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:44:59 -0400
Received: by mail-lf1-x12e.google.com with SMTP id
2adb3069b0e04-50307acd445so5433204e87.0
for <66414 <at> debbugs.gnu.org>; Mon, 09 Oct 2023 02:44:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1696844666; x=1697449466; darn=debbugs.gnu.org;
h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
:from:from:to:cc:subject:date:message-id:reply-to;
bh=ooFDD9s1M+GaTiSa5SXZGj1i+aqwih93TZ25eFq1MkY=;
b=keJimQiN08baWHL7N3CkKdncE1J7kyuSpHzMaJqoeAxBLubE4JRGA24r6GVDN5HEWz
x6aAcbSH00vh+WnGIUZ67+auanYF8W7ejrj86H35Iv8EKcPIzIdjZr5DG9P9pti72O4A
qqKlv8XwnVjYZ9uyFo1hrJWfiaeV5B3ZOrz/JNlzx/7NK6Ff1W3Vo62382mg2DUZKAFk
ZyWLrn7CfZGd4sske0Ye0hBh/pqJRhH6uBoPch6Ag8m2QfN8o1bee8+Zi3tG6n0FtyE2
KorCrRARJxp8xLNtjtUnZgS2qAbivMVtKnx0m9ljOSu/RMFXV1KeKkFwFgkExv5IZLzP
oETw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1696844666; x=1697449466;
h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=ooFDD9s1M+GaTiSa5SXZGj1i+aqwih93TZ25eFq1MkY=;
b=PdTSgsSPJKhVdbdxozEum6wxlrZGfYr/GbChmaK5GYjI7jZX7/HFWaU6eF6W0bH1O7
vuwacFQYuIAJi9h4wPXf40vJZ07ZGCVJTC3tzp8fhiDltxeFeZPsYHNmEeAiZAvI9fDr
8t2sZafdnUTM5LhBknII6W2+I7htGgOurGa+vT9lCKBLsFQmGbK84FqkpFE04lVqivB3
slZHe6eE2U8C1Tk39KPyegqapK9WgTsz4khHbEbn/GHV5gH7PK4YhWBcaESbXaBOxCES
o67hhUHEs+lB20tAIzeihG4A4/1xVckMieUq2lm7MisSIPR9UIfCaNwnWUY/UBlpxAM7
1dDw==
X-Gm-Message-State: AOJu0YyZVrh0MzbHvAMimj/VI+3QSea9n2fAWalzMZQipCZMwq6ZAqOS
zFP3h6nLxUJlBWwjDFeGxeyM1I/ieHaiu2U0y3V42sFZfzM=
X-Google-Smtp-Source: AGHT+IFeDljgUvJxbPHyygoS/YGoFIrFNxeJqdTFY5cD1D3yz+tjP2W2yQGMkCN0ZPXjpYMiZQs2UeqPqpk3sSj4KRM=
X-Received: by 2002:a05:6512:6d1:b0:503:367c:49c8 with SMTP id
u17-20020a05651206d100b00503367c49c8mr14842322lff.5.1696844666444; Mon, 09
Oct 2023 02:44:26 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
HTTPREST; Mon, 9 Oct 2023 09:44:25 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <87r0m4kudf.fsf@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
<871qe4maom.fsf@HIDDEN>
<CADwFkmme54GxDz+qR-cZZH0EemB7r1y1A1a5J2qXo4qF1rTDZg@HIDDEN>
<87r0m4kudf.fsf@HIDDEN>
MIME-Version: 1.0
Date: Mon, 9 Oct 2023 09:44:25 +0000
Message-ID: <CADwFkmnNrZEJf3HLftLqWCEL4RgBtXFXzDx6mfOsX0kxT39m0A@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Philip Kaludercic <philipk@HIDDEN> writes:
> No, my bad. I didn't know that git tags could be signed, so I misread
> the sentence.
>
> One issue might be that elpa-admin.el doesn't really do anything with
> git tags, though I guess it should be possible to verify a remote git
> tag? An alternative might be to check for signed git commits, at the
> very least for the commits that bump the version tag. That way all the
> could be kept in elpa.git.
Yes, I think a signed commit might work fine for this purpose too. It
would be a more minimal change, if nothing else.
X-Loop: help-debbugs@HIDDEN
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Resent-From: Stefan Monnier <monnier@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Mon, 09 Oct 2023 21:54:01 +0000
Resent-Message-ID: <handler.66414.B66414.16968883962217 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 66414
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords:
To: Stefan Kangas <stefankangas@HIDDEN>
Cc: 66414 <at> debbugs.gnu.org, philipk@HIDDEN, yantar92@HIDDEN
Received: via spool by 66414-submit <at> debbugs.gnu.org id=B66414.16968883962217
(code B ref 66414); Mon, 09 Oct 2023 21:54:01 +0000
Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 21:53:16 +0000
Received: from localhost ([127.0.0.1]:33625 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qpyBd-0000Zf-Fw
for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 17:53:16 -0400
Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:21972)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <monnier@HIDDEN>) id 1qpyBY-0000ZF-4M
for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 17:53:12 -0400
Received: from pmg3.iro.umontreal.ca (localhost [127.0.0.1])
by pmg3.iro.umontreal.ca (Proxmox) with ESMTP id 6FF0A444354;
Mon, 9 Oct 2023 17:52:41 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
s=mail; t=1696888355;
bh=FrP5fu+ldtTA0yiLtA9A5acglPg1iAP17bjI9EFUPAw=;
h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
b=Kud3B7DpW4xa23VQPUmydHQmyAn316j3QWb1YRkjMU7X6LenbnTKMLe86Sy4I8AcT
M+PDLOGQlv9Cos20AEWlN7Zt0GbknyBSjv+j0Mn0/hvoPavNBZFItLA2eCFiQ38uWw
UHwgtFBXQF2VL9qYFqSpSlAZXlsmZBq07u2KnLAKWC6xOLuCefFCd6Ag6p6hkafKVg
bbzD7ML2VrUxjuSSm2iwvNdat7aqoS2M2q4CcNOhiv7VaBVPvD2vBwoZZ8AwH2Valw
VRs8g04tLcCh96O2yq5srRjiManXhbezrMfDsIj7oqticCY/Gvv7KVgq6jx96mTsvj
qosqg1nqVzg2w==
Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
by pmg3.iro.umontreal.ca (Proxmox) with ESMTP id A5D15444347;
Mon, 9 Oct 2023 17:52:35 -0400 (EDT)
Received: from pastel (unknown [216.154.28.175])
by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 744381202A2;
Mon, 9 Oct 2023 17:52:35 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
In-Reply-To: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
(Stefan Kangas's message of "Mon, 9 Oct 2023 07:15:47 +0000")
Message-ID: <jwv7cnvpiyh.fsf-monnier+emacs@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
Date: Mon, 09 Oct 2023 17:52:34 -0400
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-SPAM-INFO: Spam detection results: 0
ALL_TRUSTED -1 Passed through trusted hosts only via SMTP
AWL 0.005 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED 0.1 Message has a DKIM or DK signature,
not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's
domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from
domain
X-SPAM-LEVEL:
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
> I propose optionally releasing a new version of packages on
> NonGNU/GNU ELPA only if there is a valid PGP signature. We can't make
> it mandatory, at the very least not initially, because it would break
> too many existing workflows.
No objection on my side. The first step would presumably be to change
the synchronization scripts (the ones run by `elpasync` on
`elpa.gnu.org`) so as to propagate upstream tags to `elpa.git`.
The (Non)GNU ELPA tarballs are built from `elpa.git` and `nongnu.git`,
not from the upstream repositories, and currently those do not
contain upstream tags.
And since those repos contain many packages, the upstream tags need to
be renamed or moved to a different namespace to avoid conflicts between
tag names in different packages.
After that, we need to add the feature to be able to build releases from
tags rather than from "the commit where `Version:` was changed".
And after that, we can add a feature that checks that the tags are
signed (and that the signature is valid and made by the appropriate
persons/keys).
Stefan
X-Loop: help-debbugs@HIDDEN
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Resent-From: Stefan Kangas <stefankangas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Tue, 10 Oct 2023 11:30:02 +0000
Resent-Message-ID: <handler.66414.B66414.169693736911841 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 66414
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords:
To: Stefan Monnier <monnier@HIDDEN>
Cc: 66414 <at> debbugs.gnu.org, philipk@HIDDEN, yantar92@HIDDEN
Received: via spool by 66414-submit <at> debbugs.gnu.org id=B66414.169693736911841
(code B ref 66414); Tue, 10 Oct 2023 11:30:02 +0000
Received: (at 66414) by debbugs.gnu.org; 10 Oct 2023 11:29:29 +0000
Received: from localhost ([127.0.0.1]:34124 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qqAvZ-00034v-Fw
for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:29:29 -0400
Received: from mail-lj1-x22b.google.com ([2a00:1450:4864:20::22b]:59671)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <stefankangas@HIDDEN>) id 1qqAvV-00034g-LJ
for 66414 <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:29:27 -0400
Received: by mail-lj1-x22b.google.com with SMTP id
38308e7fff4ca-2c007d6159aso65924011fa.3
for <66414 <at> debbugs.gnu.org>; Tue, 10 Oct 2023 04:29:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1696937339; x=1697542139; darn=debbugs.gnu.org;
h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
:from:from:to:cc:subject:date:message-id:reply-to;
bh=5jCb4t2PTcDle7lE9nt2PpreZ/I+r1krT6W2rPVouWs=;
b=HnyqO2nZpjhWcBeoXyBf6X4zUpFoKBSaDJxSSM//oHP35wkqHrMMdoG5iFPnSWEP35
bUgCXbKMeu33Zy2BUayuplm3SzFxMWY+kqFfmLfh3nmGQ3Wvtr8JPL3ccZviDFhQWhrH
Vg+slA1Nkn6OZ5mBc9ARRIxCS1UkARSxpwK18+107yI13HJIOgQliZl2I3EIwL0qoVSn
FhxXzS6CAyj2qc6FAq0FvYC8gbeEiKC+erompba1ke2CubsatlPj+H8+J/vuKFZYzXlf
uH2qL84T1oxmMMwHv9NLanOaHMQh2yVWNq5fspGtFUXbYnUNq+ZFJpOiwJEy7Suo/E72
d7ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1696937339; x=1697542139;
h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=5jCb4t2PTcDle7lE9nt2PpreZ/I+r1krT6W2rPVouWs=;
b=MATQXyJ/JBA+B6lCt2xE4UUFqQ6VnQwXWC6I9UlSKWSWZThO4KjKbybEdWxZpBHcIx
2lnj8DTtFrdVunHUY3lUNRyo+cC1hHqOlkeM8GX5AxB9iS+5zNLDRI5Ve+1Ql5GWUr/4
KOnzhTN9wddKEvDB8Etr4E7l4WyQJDXOU9YNVtKPmdULhjUB+MPsbtsrUNxYJ2DU2GQ6
Jx6x12KXr8O/teYRlYfSzAy+E7v6xf4Dhu5lJrMKYmmlutfMeSGS0dR9htN5+VbVQGEs
0iJnB3e2Fk7fpnvSRGyqk2teannGHbhze6No3QWDesLoZV7WtkodLpMP459ntUFAi1MW
2OxQ==
X-Gm-Message-State: AOJu0YzobseoCZ0MRdhFm7ymLrDb1KXNgj3clgWMDjX0azx+PHvfHapp
eZoyKKGXZtt9IttAe2VSYjN+OxmNMQIJrou3Fls2lFX4wK4=
X-Google-Smtp-Source: AGHT+IFrw3GN+iaHjq+sDR2g3v4qOvue8jWIi2kLUu9pGB/eQZe6xqfA6dYKpAZPyiCIwqfTtQsQc/nZYBeH7uVODYU=
X-Received: by 2002:a2e:9d8f:0:b0:2bf:9664:b761 with SMTP id
c15-20020a2e9d8f000000b002bf9664b761mr13204303ljj.53.1696937338552; Tue, 10
Oct 2023 04:28:58 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
HTTPREST; Tue, 10 Oct 2023 11:28:58 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <jwv7cnvpiyh.fsf-monnier+emacs@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
<jwv7cnvpiyh.fsf-monnier+emacs@HIDDEN>
MIME-Version: 1.0
Date: Tue, 10 Oct 2023 11:28:58 +0000
Message-ID: <CADwFkmmNCRMy0ZoAh0v96cF-Cn+o+iy2rmeKDCXQPXe77rSPSA@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Stefan Monnier <monnier@HIDDEN> writes:
> The (Non)GNU ELPA tarballs are built from `elpa.git` and `nongnu.git`,
> not from the upstream repositories, and currently those do not
> contain upstream tags.
>
> And since those repos contain many packages, the upstream tags need to
> be renamed or moved to a different namespace to avoid conflicts between
> tag names in different packages.
I'm starting to wonder if Philip's idea to use signed git commits might
work better for our purposes.
Would signed tags give us something that signed commits wouldn't?
X-Loop: help-debbugs@HIDDEN
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Resent-From: Stefan Monnier <monnier@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Tue, 10 Oct 2023 13:09:02 +0000
Resent-Message-ID: <handler.66414.B66414.16969433142964 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 66414
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords:
To: Stefan Kangas <stefankangas@HIDDEN>
Cc: 66414 <at> debbugs.gnu.org, philipk@HIDDEN, yantar92@HIDDEN
Received: via spool by 66414-submit <at> debbugs.gnu.org id=B66414.16969433142964
(code B ref 66414); Tue, 10 Oct 2023 13:09:02 +0000
Received: (at 66414) by debbugs.gnu.org; 10 Oct 2023 13:08:34 +0000
Received: from localhost ([127.0.0.1]:34288 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qqCTS-0000li-5q
for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 09:08:34 -0400
Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:48740)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <monnier@HIDDEN>) id 1qqCTP-0000lT-Tr
for 66414 <at> debbugs.gnu.org; Tue, 10 Oct 2023 09:08:32 -0400
Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id A005180508;
Tue, 10 Oct 2023 09:08:04 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
s=mail; t=1696943279;
bh=W9MvV+U6fvobHo8biczuLnUJq6u4NYsOWG7DiGXmrCs=;
h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
b=eUipxj6CWEwMAFvmWZqko6Qf+cRLLbn8HJuCHKrP+O4nP5Yqp07ebTuyCZIY3zDT9
QWDEfDBGydJX5IzU4RqamkK4qVpd/J2YoEYGmtju3mpEFr/8kjDbv+U9v1GPp7y5e+
mtIHyIi4KFIVCLSNpiiO5p4zs4KPD4mL8xa+RGRtAYEtufAa0hQ9hm0EJoXdE6ea8S
igedpSTa2huvn0PN08XeAdQe8kjIgGtbXgel8pkNxxjtpoB1Pj0Blz31NwOahAVERH
HhPGF7LNptcESc4JuK1SqcvEbzrh0Vzg5iyBcUMqbzogy8J8e6iqI7h5qMK8ZyWIvX
xoXMPgoV+nI2g==
Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 19476805ED;
Tue, 10 Oct 2023 09:07:59 -0400 (EDT)
Received: from pastel (unknown [216.154.28.175])
by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id DE7061204A7;
Tue, 10 Oct 2023 09:07:58 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
In-Reply-To: <CADwFkmmNCRMy0ZoAh0v96cF-Cn+o+iy2rmeKDCXQPXe77rSPSA@HIDDEN>
(Stefan Kangas's message of "Tue, 10 Oct 2023 11:28:58 +0000")
Message-ID: <jwvfs2iocd8.fsf-monnier+emacs@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
<jwv7cnvpiyh.fsf-monnier+emacs@HIDDEN>
<CADwFkmmNCRMy0ZoAh0v96cF-Cn+o+iy2rmeKDCXQPXe77rSPSA@HIDDEN>
Date: Tue, 10 Oct 2023 09:07:57 -0400
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-SPAM-INFO: Spam detection results: 0
ALL_TRUSTED -1 Passed through trusted hosts only via SMTP
AWL -0.115 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED 0.1 Message has a DKIM or DK signature,
not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's
domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from
domain
X-SPAM-LEVEL:
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
> I'm starting to wonder if Philip's idea to use signed git commits might
> work better for our purposes.
Why choose?
Stefan
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.