GNU bug report logs - #66414
GNU ELPA: Require signed tags to release new package versions

Message received at 66414 <at> debbugs.gnu.org:

Received: (at 66414) by debbugs.gnu.org; 10 Oct 2023 13:08:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 09:08:34 2023
Received: from localhost ([127.0.0.1]:34288 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqCTS-0000li-5q
	for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 09:08:34 -0400
Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:48740)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <monnier@HIDDEN>) id 1qqCTP-0000lT-Tr
 for 66414 <at> debbugs.gnu.org; Tue, 10 Oct 2023 09:08:32 -0400
Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id A005180508;
 Tue, 10 Oct 2023 09:08:04 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1696943279;
 bh=W9MvV+U6fvobHo8biczuLnUJq6u4NYsOWG7DiGXmrCs=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=eUipxj6CWEwMAFvmWZqko6Qf+cRLLbn8HJuCHKrP+O4nP5Yqp07ebTuyCZIY3zDT9
 QWDEfDBGydJX5IzU4RqamkK4qVpd/J2YoEYGmtju3mpEFr/8kjDbv+U9v1GPp7y5e+
 mtIHyIi4KFIVCLSNpiiO5p4zs4KPD4mL8xa+RGRtAYEtufAa0hQ9hm0EJoXdE6ea8S
 igedpSTa2huvn0PN08XeAdQe8kjIgGtbXgel8pkNxxjtpoB1Pj0Blz31NwOahAVERH
 HhPGF7LNptcESc4JuK1SqcvEbzrh0Vzg5iyBcUMqbzogy8J8e6iqI7h5qMK8ZyWIvX
 xoXMPgoV+nI2g==
Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 19476805ED;
 Tue, 10 Oct 2023 09:07:59 -0400 (EDT)
Received: from pastel (unknown [216.154.28.175])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id DE7061204A7;
 Tue, 10 Oct 2023 09:07:58 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: Stefan Kangas <stefankangas@HIDDEN>
Subject: Re: bug#66414: GNU ELPA: Require signed tags to release new package
 versions
In-Reply-To: <CADwFkmmNCRMy0ZoAh0v96cF-Cn+o+iy2rmeKDCXQPXe77rSPSA@HIDDEN>
 (Stefan Kangas's message of "Tue, 10 Oct 2023 11:28:58 +0000")
Message-ID: <jwvfs2iocd8.fsf-monnier+emacs@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
 <jwv7cnvpiyh.fsf-monnier+emacs@HIDDEN>
 <CADwFkmmNCRMy0ZoAh0v96cF-Cn+o+iy2rmeKDCXQPXe77rSPSA@HIDDEN>
Date: Tue, 10 Oct 2023 09:07:57 -0400
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-SPAM-INFO: Spam detection results:  0
 ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
 AWL -0.115 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DKIM_SIGNED               0.1 Message has a DKIM or DK signature,
 not necessarily valid
 DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
 DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's
 domain
 DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from
 domain
X-SPAM-LEVEL: 
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66414
Cc: 66414 <at> debbugs.gnu.org, philipk@HIDDEN, yantar92@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> I'm starting to wonder if Philip's idea to use signed git commits might
> work better for our purposes.

Why choose?


        Stefan

Message received at 66414 <at> debbugs.gnu.org:

Received: (at 66414) by debbugs.gnu.org; 10 Oct 2023 11:29:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 07:29:29 2023
Received: from localhost ([127.0.0.1]:34124 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqAvZ-00034v-Fw
	for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:29:29 -0400
Received: from mail-lj1-x22b.google.com ([2a00:1450:4864:20::22b]:59671)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1qqAvV-00034g-LJ
 for 66414 <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:29:27 -0400
Received: by mail-lj1-x22b.google.com with SMTP id
 38308e7fff4ca-2c007d6159aso65924011fa.3
 for <66414 <at> debbugs.gnu.org>; Tue, 10 Oct 2023 04:29:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696937339; x=1697542139; darn=debbugs.gnu.org;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=5jCb4t2PTcDle7lE9nt2PpreZ/I+r1krT6W2rPVouWs=;
 b=HnyqO2nZpjhWcBeoXyBf6X4zUpFoKBSaDJxSSM//oHP35wkqHrMMdoG5iFPnSWEP35
 bUgCXbKMeu33Zy2BUayuplm3SzFxMWY+kqFfmLfh3nmGQ3Wvtr8JPL3ccZviDFhQWhrH
 Vg+slA1Nkn6OZ5mBc9ARRIxCS1UkARSxpwK18+107yI13HJIOgQliZl2I3EIwL0qoVSn
 FhxXzS6CAyj2qc6FAq0FvYC8gbeEiKC+erompba1ke2CubsatlPj+H8+J/vuKFZYzXlf
 uH2qL84T1oxmMMwHv9NLanOaHMQh2yVWNq5fspGtFUXbYnUNq+ZFJpOiwJEy7Suo/E72
 d7ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696937339; x=1697542139;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=5jCb4t2PTcDle7lE9nt2PpreZ/I+r1krT6W2rPVouWs=;
 b=MATQXyJ/JBA+B6lCt2xE4UUFqQ6VnQwXWC6I9UlSKWSWZThO4KjKbybEdWxZpBHcIx
 2lnj8DTtFrdVunHUY3lUNRyo+cC1hHqOlkeM8GX5AxB9iS+5zNLDRI5Ve+1Ql5GWUr/4
 KOnzhTN9wddKEvDB8Etr4E7l4WyQJDXOU9YNVtKPmdULhjUB+MPsbtsrUNxYJ2DU2GQ6
 Jx6x12KXr8O/teYRlYfSzAy+E7v6xf4Dhu5lJrMKYmmlutfMeSGS0dR9htN5+VbVQGEs
 0iJnB3e2Fk7fpnvSRGyqk2teannGHbhze6No3QWDesLoZV7WtkodLpMP459ntUFAi1MW
 2OxQ==
X-Gm-Message-State: AOJu0YzobseoCZ0MRdhFm7ymLrDb1KXNgj3clgWMDjX0azx+PHvfHapp
 eZoyKKGXZtt9IttAe2VSYjN+OxmNMQIJrou3Fls2lFX4wK4=
X-Google-Smtp-Source: AGHT+IFrw3GN+iaHjq+sDR2g3v4qOvue8jWIi2kLUu9pGB/eQZe6xqfA6dYKpAZPyiCIwqfTtQsQc/nZYBeH7uVODYU=
X-Received: by 2002:a2e:9d8f:0:b0:2bf:9664:b761 with SMTP id
 c15-20020a2e9d8f000000b002bf9664b761mr13204303ljj.53.1696937338552; Tue, 10
 Oct 2023 04:28:58 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Tue, 10 Oct 2023 11:28:58 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <jwv7cnvpiyh.fsf-monnier+emacs@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
 <jwv7cnvpiyh.fsf-monnier+emacs@HIDDEN>
MIME-Version: 1.0
Date: Tue, 10 Oct 2023 11:28:58 +0000
Message-ID: <CADwFkmmNCRMy0ZoAh0v96cF-Cn+o+iy2rmeKDCXQPXe77rSPSA@HIDDEN>
Subject: Re: bug#66414: GNU ELPA: Require signed tags to release new package
 versions
To: Stefan Monnier <monnier@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66414
Cc: 66414 <at> debbugs.gnu.org, philipk@HIDDEN, yantar92@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Stefan Monnier <monnier@HIDDEN> writes:

> The (Non)GNU ELPA tarballs are built from `elpa.git` and `nongnu.git`,
> not from the upstream repositories, and currently those do not
> contain upstream tags.
>
> And since those repos contain many packages, the upstream tags need to
> be renamed or moved to a different namespace to avoid conflicts between
> tag names in different packages.

I'm starting to wonder if Philip's idea to use signed git commits might
work better for our purposes.

Would signed tags give us something that signed commits wouldn't?

Message received at 66414 <at> debbugs.gnu.org:

Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 21:53:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 17:53:16 2023
Received: from localhost ([127.0.0.1]:33625 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpyBd-0000Zf-Fw
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 17:53:16 -0400
Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:21972)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <monnier@HIDDEN>) id 1qpyBY-0000ZF-4M
 for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 17:53:12 -0400
Received: from pmg3.iro.umontreal.ca (localhost [127.0.0.1])
 by pmg3.iro.umontreal.ca (Proxmox) with ESMTP id 6FF0A444354;
 Mon,  9 Oct 2023 17:52:41 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1696888355;
 bh=FrP5fu+ldtTA0yiLtA9A5acglPg1iAP17bjI9EFUPAw=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=Kud3B7DpW4xa23VQPUmydHQmyAn316j3QWb1YRkjMU7X6LenbnTKMLe86Sy4I8AcT
 M+PDLOGQlv9Cos20AEWlN7Zt0GbknyBSjv+j0Mn0/hvoPavNBZFItLA2eCFiQ38uWw
 UHwgtFBXQF2VL9qYFqSpSlAZXlsmZBq07u2KnLAKWC6xOLuCefFCd6Ag6p6hkafKVg
 bbzD7ML2VrUxjuSSm2iwvNdat7aqoS2M2q4CcNOhiv7VaBVPvD2vBwoZZ8AwH2Valw
 VRs8g04tLcCh96O2yq5srRjiManXhbezrMfDsIj7oqticCY/Gvv7KVgq6jx96mTsvj
 qosqg1nqVzg2w==
Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg3.iro.umontreal.ca (Proxmox) with ESMTP id A5D15444347;
 Mon,  9 Oct 2023 17:52:35 -0400 (EDT)
Received: from pastel (unknown [216.154.28.175])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 744381202A2;
 Mon,  9 Oct 2023 17:52:35 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: Stefan Kangas <stefankangas@HIDDEN>
Subject: Re: bug#66414: GNU ELPA: Require signed tags to release new package
 versions
In-Reply-To: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
 (Stefan Kangas's message of "Mon, 9 Oct 2023 07:15:47 +0000")
Message-ID: <jwv7cnvpiyh.fsf-monnier+emacs@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
Date: Mon, 09 Oct 2023 17:52:34 -0400
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-SPAM-INFO: Spam detection results:  0
 ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
 AWL 0.005 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DKIM_SIGNED               0.1 Message has a DKIM or DK signature,
 not necessarily valid
 DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
 DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's
 domain
 DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from
 domain
X-SPAM-LEVEL: 
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66414
Cc: 66414 <at> debbugs.gnu.org, philipk@HIDDEN, yantar92@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> I propose optionally releasing a new version of packages on
> NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
> it mandatory, at the very least not initially, because it would break
> too many existing workflows.

No objection on my side.  The first step would presumably be to change
the synchronization scripts (the ones run by `elpasync` on
`elpa.gnu.org`) so as to propagate upstream tags to `elpa.git`.

The (Non)GNU ELPA tarballs are built from `elpa.git` and `nongnu.git`,
not from the upstream repositories, and currently those do not
contain upstream tags.

And since those repos contain many packages, the upstream tags need to
be renamed or moved to a different namespace to avoid conflicts between
tag names in different packages.

After that, we need to add the feature to be able to build releases from
tags rather than from "the commit where `Version:` was changed".

And after that, we can add a feature that checks that the tags are
signed (and that the signature is valid and made by the appropriate
persons/keys).


        Stefan

Message received at 66414 <at> debbugs.gnu.org:

Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 09:45:01 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 05:45:01 2023
Received: from localhost ([127.0.0.1]:59319 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpmou-0007JS-By
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:45:01 -0400
Received: from mail-lf1-x12e.google.com ([2a00:1450:4864:20::12e]:46302)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1qpmon-0007Iz-3I
 for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:44:59 -0400
Received: by mail-lf1-x12e.google.com with SMTP id
 2adb3069b0e04-50307acd445so5433204e87.0
 for <66414 <at> debbugs.gnu.org>; Mon, 09 Oct 2023 02:44:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696844666; x=1697449466; darn=debbugs.gnu.org;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=ooFDD9s1M+GaTiSa5SXZGj1i+aqwih93TZ25eFq1MkY=;
 b=keJimQiN08baWHL7N3CkKdncE1J7kyuSpHzMaJqoeAxBLubE4JRGA24r6GVDN5HEWz
 x6aAcbSH00vh+WnGIUZ67+auanYF8W7ejrj86H35Iv8EKcPIzIdjZr5DG9P9pti72O4A
 qqKlv8XwnVjYZ9uyFo1hrJWfiaeV5B3ZOrz/JNlzx/7NK6Ff1W3Vo62382mg2DUZKAFk
 ZyWLrn7CfZGd4sske0Ye0hBh/pqJRhH6uBoPch6Ag8m2QfN8o1bee8+Zi3tG6n0FtyE2
 KorCrRARJxp8xLNtjtUnZgS2qAbivMVtKnx0m9ljOSu/RMFXV1KeKkFwFgkExv5IZLzP
 oETw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696844666; x=1697449466;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=ooFDD9s1M+GaTiSa5SXZGj1i+aqwih93TZ25eFq1MkY=;
 b=PdTSgsSPJKhVdbdxozEum6wxlrZGfYr/GbChmaK5GYjI7jZX7/HFWaU6eF6W0bH1O7
 vuwacFQYuIAJi9h4wPXf40vJZ07ZGCVJTC3tzp8fhiDltxeFeZPsYHNmEeAiZAvI9fDr
 8t2sZafdnUTM5LhBknII6W2+I7htGgOurGa+vT9lCKBLsFQmGbK84FqkpFE04lVqivB3
 slZHe6eE2U8C1Tk39KPyegqapK9WgTsz4khHbEbn/GHV5gH7PK4YhWBcaESbXaBOxCES
 o67hhUHEs+lB20tAIzeihG4A4/1xVckMieUq2lm7MisSIPR9UIfCaNwnWUY/UBlpxAM7
 1dDw==
X-Gm-Message-State: AOJu0YyZVrh0MzbHvAMimj/VI+3QSea9n2fAWalzMZQipCZMwq6ZAqOS
 zFP3h6nLxUJlBWwjDFeGxeyM1I/ieHaiu2U0y3V42sFZfzM=
X-Google-Smtp-Source: AGHT+IFeDljgUvJxbPHyygoS/YGoFIrFNxeJqdTFY5cD1D3yz+tjP2W2yQGMkCN0ZPXjpYMiZQs2UeqPqpk3sSj4KRM=
X-Received: by 2002:a05:6512:6d1:b0:503:367c:49c8 with SMTP id
 u17-20020a05651206d100b00503367c49c8mr14842322lff.5.1696844666444; Mon, 09
 Oct 2023 02:44:26 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 9 Oct 2023 09:44:25 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <87r0m4kudf.fsf@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
 <871qe4maom.fsf@HIDDEN>
 <CADwFkmme54GxDz+qR-cZZH0EemB7r1y1A1a5J2qXo4qF1rTDZg@HIDDEN>
 <87r0m4kudf.fsf@HIDDEN>
MIME-Version: 1.0
Date: Mon, 9 Oct 2023 09:44:25 +0000
Message-ID: <CADwFkmnNrZEJf3HLftLqWCEL4RgBtXFXzDx6mfOsX0kxT39m0A@HIDDEN>
Subject: Re: bug#66414: GNU ELPA: Require signed tags to release new package
 versions
To: Philip Kaludercic <philipk@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66414
Cc: 66414 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Philip Kaludercic <philipk@HIDDEN> writes:

> No, my bad.  I didn't know that git tags could be signed, so I misread
> the sentence.
>
> One issue might be that elpa-admin.el doesn't really do anything with
> git tags, though I guess it should be possible to verify a remote git
> tag?  An alternative might be to check for signed git commits, at the
> very least for the commits that bump the version tag.  That way all the
> could be kept in elpa.git.

Yes, I think a signed commit might work fine for this purpose too.  It
would be a more minimal change, if nothing else.

Message received at 66414 <at> debbugs.gnu.org:

Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 09:39:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 05:39:39 2023
Received: from localhost ([127.0.0.1]:59309 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpmji-0007BD-K7
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:39:38 -0400
Received: from mout02.posteo.de ([185.67.36.66]:49361)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <philipk@HIDDEN>) id 1qpmjg-0007Az-EY
 for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:39:37 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id B958E240105
 for <66414 <at> debbugs.gnu.org>; Mon,  9 Oct 2023 11:39:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1696844349; bh=ynrEDgBowzz3ynPKxc9vjLNYoo4OqlvEqjD2xoAX8Ig=;
 h=From:To:Cc:Subject:Autocrypt:Date:Message-ID:MIME-Version:From;
 b=CaJhIljWg2KPJnz4Q9jcBv0utNNmnu9ttoxoDPlxxrzB5jZN4O/xKiUYekBA7CDEx
 jNPgIT11ETDC61AC8NWGlOkD7rhiWBrM0k+vVpuLhTxzOqTu7wg/GvJNuwMYOE29gh
 Pgbk8KBQKXEPB8ISIDZdeV8CNNLHTdZAAdjcPpwDtATyapBTHNrnSKszAoFrrRV2Fg
 GL5vctI5JPlEdKqMTrE54ZCh/UGTcDE1hk9GvTyDQ4iLOZgAcU8FrkJdyBKQXN8RTv
 L2PaNhqgczIJ6wz+DcU3X8VI3U9UysjE3wixrqfemE06WndA+L3sNBw/ZZPQoN9aPQ
 gRpNZqrtSprOg==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4S3vB45hHFz6tvx;
 Mon,  9 Oct 2023 11:39:08 +0200 (CEST)
From: Philip Kaludercic <philipk@HIDDEN>
To: Stefan Kangas <stefankangas@HIDDEN>
Subject: Re: bug#66414: GNU ELPA: Require signed tags to release new package
 versions
In-Reply-To: <CADwFkmme54GxDz+qR-cZZH0EemB7r1y1A1a5J2qXo4qF1rTDZg@HIDDEN>
 (Stefan Kangas's message of "Mon, 9 Oct 2023 09:30:20 +0000")
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
 <871qe4maom.fsf@HIDDEN>
 <CADwFkmme54GxDz+qR-cZZH0EemB7r1y1A1a5J2qXo4qF1rTDZg@HIDDEN>
Autocrypt: addr=philipk@HIDDEN; keydata=
 mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo
 aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0
 ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI
 BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0
 mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB
 BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE
 Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK
 NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof
 z4oM
Date: Mon, 09 Oct 2023 09:39:08 +0000
Message-ID: <87r0m4kudf.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66414
Cc: 66414 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Stefan Kangas <stefankangas@HIDDEN> writes:

> Philip Kaludercic <philipk@HIDDEN> writes:
>
>> Stefan Kangas <stefankangas@HIDDEN> writes:
>>
>>> Severity: wishlist
>>>
>>> I propose optionally releasing a new version of packages on
>>> NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
>>> it mandatory, at the very least not initially, because it would break
>>> too many existing workflows.
>>
>> I am not sure what the context here is, so sorry for the potentially
>> stupid question, but what PGP signatures are we talking about?  Are you
>> suggesting that the commit should be signed?
>
> Yes, see the very next sentence:
>
>>> The standard feature to do that in git would be a signed git tag.
>
> Sorry for not being more clear.

No, my bad.  I didn't know that git tags could be signed, so I misread
the sentence.

One issue might be that elpa-admin.el doesn't really do anything with
git tags, though I guess it should be possible to verify a remote git
tag?  An alternative might be to check for signed git commits, at the
very least for the commits that bump the version tag.  That way all the
could be kept in elpa.git.

Message received at 66414 <at> debbugs.gnu.org:

Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 09:30:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 05:30:51 2023
Received: from localhost ([127.0.0.1]:59297 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpmbC-0006yD-Oj
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:30:51 -0400
Received: from mail-lf1-x12c.google.com ([2a00:1450:4864:20::12c]:53620)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1qpmbA-0006xx-42
 for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:30:49 -0400
Received: by mail-lf1-x12c.google.com with SMTP id
 2adb3069b0e04-504a7f9204eso5137687e87.3
 for <66414 <at> debbugs.gnu.org>; Mon, 09 Oct 2023 02:30:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696843821; x=1697448621; darn=debbugs.gnu.org;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=+laP9NlATzCDNiJji4fpS65FO5yRYzXeWg4yEGfuQEc=;
 b=KiACJk8nM+XM3Upta6rElqeuS4LyYRX0zebO7EyR0E1Y8ZW49/3Itn0vjxrA6i6C1M
 qCj17tzUXBpi4J5/2Un2oHEcdPpqAkzP4vXnBGOFlC79+8/i8zXPG6GuPqST5n3URxyK
 0U/U0oA4nduxrj9idwh+mHA9GrZ5flA6dj/PWpKRF7EBGVwEta9pq+KyuyONCLcPBgtI
 3HF8J7axMhMiyz9l+gfSvzphTkkDhjvA7+WuLr4Qdwn++39UNCy8Fjo8Sdc7P3avDS5Q
 xiajjchijePFHVR/0EzARtR+BxHb4jT+Ou9df2mwOAcn1PCjGI9UUUK7ElLSeUkyhjC6
 KCkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696843821; x=1697448621;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=+laP9NlATzCDNiJji4fpS65FO5yRYzXeWg4yEGfuQEc=;
 b=iutjEXggcB27a++vMhe4m9DJcYtT3NrCrNsHVV/l/dPTWzsQYUWlHRaLodOZhJuzBq
 Ija/1W62nbRIntAq0CBmu2kEjO5awZNS6s1Q9+hnZ/KN7PmZl91s6ndk/Fns3oEceic6
 oE+qUEquPsGtlI+TFj/awh0Un5tmeBeZ7upgNwaH7ZmUc03d6aknfL/k5vI9vN+zF4/p
 1CCWaZjakim8SPpu7f97EEZkuY1uWy7+bATfCSrHZdz2WyANX1ADFJGN5lz1R14zEFIj
 DPfZHsnLa/RD7+1379gbnpCXzMi1CPNKI9aoSB2Irqci48vIfpQKQzyIm5+lwNLgg0O6
 0niA==
X-Gm-Message-State: AOJu0Yyo3emEt+F2tRNGILnOPr/3FrZ4UJaUowT/yPET1IDGCI1QqlMH
 B86dDn7mKIBNbY0Fdrpz24X2ZPVMxbryWqo7pso=
X-Google-Smtp-Source: AGHT+IGudICwLt00ivGNf310HcZRUFhCl8qhh20QxWiLLlLHVMeOGFN85/Km6HtZvIAdrhchclYz7X8mVavrcRrwUDo=
X-Received: by 2002:a05:6512:2396:b0:500:8fcd:c3b5 with SMTP id
 c22-20020a056512239600b005008fcdc3b5mr17140721lfv.12.1696843820961; Mon, 09
 Oct 2023 02:30:20 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 9 Oct 2023 09:30:20 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <871qe4maom.fsf@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
 <871qe4maom.fsf@HIDDEN>
MIME-Version: 1.0
Date: Mon, 9 Oct 2023 09:30:20 +0000
Message-ID: <CADwFkmme54GxDz+qR-cZZH0EemB7r1y1A1a5J2qXo4qF1rTDZg@HIDDEN>
Subject: Re: bug#66414: GNU ELPA: Require signed tags to release new package
 versions
To: Philip Kaludercic <philipk@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66414
Cc: 66414 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Philip Kaludercic <philipk@HIDDEN> writes:

> Stefan Kangas <stefankangas@HIDDEN> writes:
>
>> Severity: wishlist
>>
>> I propose optionally releasing a new version of packages on
>> NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
>> it mandatory, at the very least not initially, because it would break
>> too many existing workflows.
>
> I am not sure what the context here is, so sorry for the potentially
> stupid question, but what PGP signatures are we talking about?  Are you
> suggesting that the commit should be signed?

Yes, see the very next sentence:

>> The standard feature to do that in git would be a signed git tag.

Sorry for not being more clear.

Message received at 66414 <at> debbugs.gnu.org:

Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 09:02:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 05:02:00 2023
Received: from localhost ([127.0.0.1]:59271 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpm9I-00061Q-G3
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:02:00 -0400
Received: from mout01.posteo.de ([185.67.36.65]:53253)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <philipk@HIDDEN>) id 1qpm9G-000619-0m
 for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 05:01:59 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout01.posteo.de (Postfix) with ESMTPS id 50249240028
 for <66414 <at> debbugs.gnu.org>; Mon,  9 Oct 2023 11:01:31 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1696842091; bh=uzT/lCVtBzzYUeC83PdPe3eekW1TSMaWU1yFPQSvhe4=;
 h=From:To:Cc:Subject:Autocrypt:Date:Message-ID:MIME-Version:From;
 b=C1lhGO/ScUwNzgkMUDyDzPPpeXogn+55kEqZxgRUmBxJjT90XMCjURWnoRPF8Tb1j
 7Xj1DRdfDQglGQYVg6ErK+fT5S02jGg9ddxcGEZ8xERignHqM0orlAXO1F44j1SQcf
 ONaBnRCvlJI6G4G7HhuTjgnN13LkfGIzPXEK2jJ1X69pqUcKLGHnbgUxf0CMg9TP1V
 6+jTjePaMPcT+CB8mb6AMd0wlN/HwzyrTXKgujTxEi4D1ackxetWlQfHAA77u4sHE+
 ZREpD0byB8+n8jKK+lLlUmmdTn/mgH67UZ7hfLawO9idFGURnjt3OJYIRRR3b/BdAq
 GLxsFg6Y+vPXg==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4S3tLf2Bs2z6tsg;
 Mon,  9 Oct 2023 11:01:30 +0200 (CEST)
From: Philip Kaludercic <philipk@HIDDEN>
To: Stefan Kangas <stefankangas@HIDDEN>
Subject: Re: bug#66414: GNU ELPA: Require signed tags to release new package
 versions
In-Reply-To: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
 (Stefan Kangas's message of "Mon, 9 Oct 2023 07:15:47 +0000")
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
Autocrypt: addr=philipk@HIDDEN; keydata=
 mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo
 aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0
 ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI
 BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0
 mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB
 BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE
 Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK
 NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof
 z4oM
Date: Mon, 09 Oct 2023 09:01:29 +0000
Message-ID: <871qe4maom.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66414
Cc: 66414 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Stefan Kangas <stefankangas@HIDDEN> writes:

> Severity: wishlist
>
> I propose optionally releasing a new version of packages on
> NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
> it mandatory, at the very least not initially, because it would break
> too many existing workflows.

I am not sure what the context here is, so sorry for the potentially
stupid question, but what PGP signatures are we talking about?  Are you
suggesting that the commit should be signed?

> The standard feature to do that in git would be a signed git tag.
> However, (Non-)GNU ELPA currently rebuilds package tarballs every time
> the "Version" comment header is updated, while git tags are ignored.
>
> Forwarded from
>
>     https://lists.gnu.org/r/emacs-devel/2023-02/msg00120.html

Message received at 66414 <at> debbugs.gnu.org:

Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 08:38:03 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 04:38:03 2023
Received: from localhost ([127.0.0.1]:59233 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qplm6-0005CX-Qt
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 04:38:03 -0400
Received: from mail-lf1-x12d.google.com ([2a00:1450:4864:20::12d]:59842)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1qplm4-0005C2-Mi
 for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 04:38:01 -0400
Received: by mail-lf1-x12d.google.com with SMTP id
 2adb3069b0e04-50337b43ee6so5412745e87.3
 for <66414 <at> debbugs.gnu.org>; Mon, 09 Oct 2023 01:37:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696840654; x=1697445454; darn=debbugs.gnu.org;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=12byguwqxAFLZNypl7Sou0RI/p0U4RIyXybrt8G3qaQ=;
 b=EfPpyYFQhzDaCMC0WwdlpECyjAi6nF3x3+5JaVGnAfwxp0X6vEJZwk+czQYmZHvdQu
 ggfNQQXsxdpM4pBtfCk8zZhdUkGAC1Qc50qPeWRWZ7HsPaAZyih1EHl9oT/QqeBRzAke
 1pTraIXM2T2Xt60MD5dKXheV/3qhFtNUAh2ucRvkAamARHWV2gTOzybVaTN+Xir83yS8
 P+ZuDbT+Od+Asv5RpTLaJbG/8jkEFoIL11R/pTDWGvQEzC/zhE2hWFUZbHfxJKcY0Sn7
 11xs2gdzQFtwv0fRWmGlfA2WrVPLcWFGgGVJ0yrXcKQX2jNtEEMMBNmbrr/kX5cuLMrI
 m1Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696840654; x=1697445454;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=12byguwqxAFLZNypl7Sou0RI/p0U4RIyXybrt8G3qaQ=;
 b=FDwjkG2oCSdCoSn1bD0KjNuCMQYkkmXZTYbhpkyQDBh2eyRf4rxLNFPcSO/sgZx35F
 ztIILC5GUYBQZqc9tnZFTv7Apqz/1K6I8dOjnRtMKbh2UaRYecu9VsBQffUnqVrEw8A+
 gcmovaesXAfG6HNFEwLa4MmSjuQn6Mpc4fdcTM1mhm58R0QFKibBxAHDrXMRX0THo98G
 jkcAmqjAh1Iw7swTnALqLsFwbCGF6QvoFFDk1Lqbnfp223/i/sslgZR+K04xp6S5CQgI
 cQG2RhDIXDBLD9irEEUqM9aurwAT0H6gXQb2iLnvZr6mPz9QU0S4k+oKP760sHEQNGVp
 0DSQ==
X-Gm-Message-State: AOJu0Yx27UglxJKDruCZhega0NGn5tojJuhcHu/nvDNVaUTrI1QYn3oJ
 /Qr9WD3FXUBLLPhD2pxDz016PbWoV7stcGL5WXA=
X-Google-Smtp-Source: AGHT+IFK3Q4qCwSHpQb71kf2HsXhYFl105zezOiyQRnVatp/Wr+UgPw68ddNQMRtGzuTaGaB0nPZ3qEN/5lQK6YUi6o=
X-Received: by 2002:a19:ee17:0:b0:503:2891:444d with SMTP id
 g23-20020a19ee17000000b005032891444dmr10873809lfb.64.1696840653822; Mon, 09
 Oct 2023 01:37:33 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 9 Oct 2023 08:37:33 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <m1mswsi4ba.fsf@HIDDEN>
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
 <m1mswsi4ba.fsf@HIDDEN>
MIME-Version: 1.0
Date: Mon, 9 Oct 2023 08:37:33 +0000
Message-ID: <CADwFkmmyTVmyErUadcooHJq4G5Siv_H6_by5VBqH7SEzRqmWnA@HIDDEN>
Subject: Re: bug#66414: GNU ELPA: Require signed tags to release new package
 versions
To: Eshel Yaron <me@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66414
Cc: 66414 <at> debbugs.gnu.org, philipk@HIDDEN, yantar92@HIDDEN,
 monnier@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eshel Yaron <me@HIDDEN> writes:

> Do I understand correctly that under this proposal package
> authors/maintainers would need to opt-in to such signature validation?

Yes.

> Another option that might be worth considering is to continue releasing
> packages, with or without a valid signature, and instead to indicate the
> absence or invalidity of a signature in the packages list and in other
> package.el commands.

Yes, something like that is what I had in mind.

Message received at 66414 <at> debbugs.gnu.org:

Received: (at 66414) by debbugs.gnu.org; 9 Oct 2023 08:33:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 04:33:06 2023
Received: from localhost ([127.0.0.1]:59229 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qplhK-00051T-2G
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 04:33:06 -0400
Received: from mail.eshelyaron.com ([107.175.124.16]:48412 helo=eshelyaron.com)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@HIDDEN>) id 1qplhI-00051H-Rd
 for 66414 <at> debbugs.gnu.org; Mon, 09 Oct 2023 04:33:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=eshelyaron.com;
 s=mail; t=1696840363;
 bh=u4axu8Sv/1wf1qM3LHVAosjOsTnmkDlgNmfQOn7zKis=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=DWB0meyDCuwNRpWZ47ync4dQD4g/VEEdv1T+8zJpRaMXnZZjxDNTS1TjkcuJMBsRO
 JtLX3lzTJAiE0r3sMV+A2YpyLmgS0BvX58u8O69fxo4u0YEBwfraOs8Yqp8Ren3Fiq
 O772zV0kGeDxCMWUb0Em6g0Byo7TsZQRGIlgiaKmj4TQlroxRCq7XOh4DXhvA+pc0D
 tm/l3LDACB7S6kdfn6ePJhRfNPiRXsOMPpzDT+LUFo/d8c+J3Qb+TOXH2JmrTmZkw4
 vl+cy0IL3gzkP9w3QjujXUGk+e93Ym7bbmLC2gq+MKFCueTHdBgPy8tYuEtCp2I0+R
 a1qNXHRq5O8NA==
From: Eshel Yaron <me@HIDDEN>
To: Stefan Kangas <stefankangas@HIDDEN>
Subject: Re: bug#66414: GNU ELPA: Require signed tags to release new package
 versions
In-Reply-To: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
 (Stefan Kangas's message of "Mon, 9 Oct 2023 07:15:47 +0000")
References: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
Date: Mon, 09 Oct 2023 10:32:41 +0200
Message-ID: <m1mswsi4ba.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 66414
Cc: 66414 <at> debbugs.gnu.org, philipk@HIDDEN, yantar92@HIDDEN,
 monnier@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

Stefan Kangas <stefankangas@HIDDEN> writes:

> Severity: wishlist
>
> I propose optionally releasing a new version of packages on
> NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
> it mandatory, at the very least not initially, because it would break
> too many existing workflows.
>

Do I understand correctly that under this proposal package
authors/maintainers would need to opt-in to such signature validation?

Another option that might be worth considering is to continue releasing
packages, with or without a valid signature, and instead to indicate the
absence or invalidity of a signature in the packages list and in other
package.el commands.  This has the benefit of requiring nothing from
package maintainers while creating a clear incentive to add those
signatures, and it would also give users the chance to employ their
personal judgment on case-by-case basis.  OTOH There are many cases to
consider, such as what happens when a user wants to upgrade a signed
package but the newer version is unsigned.

> The standard feature to do that in git would be a signed git tag.
> However, (Non-)GNU ELPA currently rebuilds package tarballs every time
> the "Version" comment header is updated, while git tags are ignored.
>
> Forwarded from
>
>     https://lists.gnu.org/r/emacs-devel/2023-02/msg00120.html

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 9 Oct 2023 07:16:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 03:16:25 2023
Received: from localhost ([127.0.0.1]:59098 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpkV7-0002P9-12
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 03:16:25 -0400
Received: from lists.gnu.org ([2001:470:142::17]:50738)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1qpkV5-0002Of-Lq
 for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 03:16:24 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <stefankangas@HIDDEN>)
 id 1qpkUc-0007UB-ED
 for bug-gnu-emacs@HIDDEN; Mon, 09 Oct 2023 03:15:56 -0400
Received: from mail-lf1-x134.google.com ([2a00:1450:4864:20::134])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <stefankangas@HIDDEN>)
 id 1qpkUY-0003Bx-2K
 for bug-gnu-emacs@HIDDEN; Mon, 09 Oct 2023 03:15:52 -0400
Received: by mail-lf1-x134.google.com with SMTP id
 2adb3069b0e04-50585357903so5502701e87.2
 for <bug-gnu-emacs@HIDDEN>; Mon, 09 Oct 2023 00:15:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696835748; x=1697440548; darn=gnu.org;
 h=to:subject:message-id:date:mime-version:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=w+AI7FVCAzqaPxR1I6O0GDlT+eny6jEEnRuQnoo9lKk=;
 b=Kc+zqp9SxoEvp2qzSmOpGs4fgHs3ZUCnzBWlBFIaCSpxxG/zSNyplNqj020b1lBu0f
 lMH/sUTfdbq+jKs2CzJFOfcq/qWsl3Ltyp/Z/cszmiQmDIaLiuPokQVFgknkNCmJ44eu
 xlJFpJKLzVmY2a90QsW0pWZN0cmYMK+JHhReQ91N2uM+wb+j/gzYlNhTKGI7EIgBEqiN
 K6bNx7OI7ws+czhlJYJA2RWOzH+rlC1ZYkDv+vR8dWka+bcVCgg5oiTycgGb8J9mro/1
 /QAi5FIFYO6Yt/Z8ycNHTy2V9gTy0jiFM7IEKklUuCkukar7Rz4ARggf6UezggaMj/Ou
 ykkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696835748; x=1697440548;
 h=to:subject:message-id:date:mime-version:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=w+AI7FVCAzqaPxR1I6O0GDlT+eny6jEEnRuQnoo9lKk=;
 b=EYeRmgNJ7gZs4EH2pQX6KVXXfUpnvboeI0UM4RT5tvBxRRMyOxdQrdAj+lM14ZqyrC
 XZ7bX7YW+XOXeaUgCewASQBBBB529+V+D+L1fd2cq6m0iH3XYKaSlHW9xvULiz3Ib72b
 +2Zw0R4IGIK/3JlYZVUIvHTSxi8djLHolfXHv38Vs0AFDm+R/+ts8UsyAqnIgYoCM4Cr
 2Zwvq2zz02UGbGtN676mZK/eGAOl1tO0T5c+jcMhcADpbn9WKbSKP6xYY00UNX+H4SaU
 qgvnmLV3dmSAKJ6EvSuGThTyFQkuu7vByZaj3scuXHF6MAldGdcTNH7mMZDOMIkgOTvb
 YgdA==
X-Gm-Message-State: AOJu0YxsmaKukBjhp5HbntTfQQH/O3FytqwTvQJRYHjfWg84keYpc/x6
 8vsdLcagjVL0q28nXjiJSYCtJIqYV03zGxbZFdq1lUNRuco=
X-Google-Smtp-Source: AGHT+IFpIvgePP61j0BZ8HPLvVIfwxxQKHXf7WaMmip4XCYqbUhFhOqGMTRTm6HKxlKg24IdSGv4TIHxyBr5yimVs1A=
X-Received: by 2002:a19:6452:0:b0:500:a08e:2fd3 with SMTP id
 b18-20020a196452000000b00500a08e2fd3mr10684899lfj.21.1696835747825; Mon, 09
 Oct 2023 00:15:47 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 9 Oct 2023 07:15:47 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
X-Debbugs-CC: monnier@HIDDEN, philipk@HIDDEN, yantar92@HIDDEN
MIME-Version: 1.0
Date: Mon, 9 Oct 2023 07:15:47 +0000
Message-ID: <CADwFkm=pdagsFnyy1wWwXS+R5AOn6yyuN+y2+oCY9GCzhEUcXQ@HIDDEN>
Subject: GNU ELPA: Require signed tags to release new package versions
To: bug-gnu-emacs@HIDDEN
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=2a00:1450:4864:20::134;
 envelope-from=stefankangas@HIDDEN; helo=mail-lf1-x134.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Severity: wishlist

I propose optionally releasing a new version of packages on
NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
it mandatory, at the very least not initially, because it would break
too many existing workflows.

The standard feature to do that in git would be a signed git tag.
However, (Non-)GNU ELPA currently rebuilds package tarballs every time
the "Version" comment header is updated, while git tags are ignored.

Forwarded from

    https://lists.gnu.org/r/emacs-devel/2023-02/msg00120.html