[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
is melpa just unsigned?
|
From: |
Samuel Wales |
|
Subject: |
is melpa just unsigned? |
|
Date: |
Wed, 17 May 2023 21:21:52 -0700 |
i can't seem to find out whether melpa is just plain unsigned as part
of its design, or if the archive-contents file is just plain unsigned
and packages might or might not be, or if the archive-contents file is
supposed to be signed but is not.
as a debian user, i am used to all packages AND the package list being
signed [i think]. i do not know all the security implications of not
signing an archive list, but it sounds dodgy. in any case, the error
should definitely not be there?
if the archive contents file is not signed, what does htis mean in
practice? what are the attack vectors?
am i going to have to inspect every line of code in all packages?
this isn't practical.
it seems gnu elpa is all signed and sealed and delivered. so i feel
comfortable inasmuch as that helps. why not melpa?
but gnu elpa does not have the packages that i need. i am new to
packages. i just upgraded to 27.1 and getting lots of bugs and
glitches. i hope i can get some wisdom from this list on the above
questions.
in particular, why am i getting that error and does melpa sign its
package archive? thanks. please cc: me.
On 5/17/23, Samuel Wales <samologist@gmail.com> wrote:
> i tried everything suggested i coud find on the web and i still get:
>
> Unsigned file ‘archive-contents’ at https://melpa.org/packages/ [2 times]
>
> whenever i try to list-packages. package-refresh-contents resilts in
>
> Failed to download ‘melpa’ archive.
>
> i have tried renaming ~/.emacs.d/elpa, the melpa subdir, the gnupg
> subdir. the gnupg subdir ends up with different contents each time i
> try it, it seems. any help apprecited.
>
> On 5/16/23, Samuel Wales <samologist@gmail.com> wrote:
>> i am the king of writing help messages to this list that do not get
>> replied to. i am trying to make them comprehensible and answerable
>> but there are often significant limitations.
>>
>> On 5/15/23, Samuel Wales <samologist@gmail.com> wrote:
>>> ;; [2023-05-15 Mon]
>>> ;; i am new to emacs packages, but not new to emacs
>>> ;; i recently upgraded to emacs 27
>>> ;; i followed these instructions from melpa:
>>> (require 'package)
>>> (add-to-list 'package-archives '("melpa" .
>>> "https://melpa.org/packages/";)
>>> t)
>>> (setq package-check-signature 'all)
>>> (package-initialize)
>>> ;; i installed gnu-elpa-keyring-update from elpa
>>> ;; problems:
>>> ;; 1. startup takes 9s instead of 4s
>>> ;; 2. when i do m-x list-packages, i get error in echo area.
>>> messages buffer says:
>>> ;; Importing package-keyring.gpg...done
>>> ;; Package refresh done
>>> ;; error in process sentinel: Unsigned file ‘archive-contents’ at
>>> https://melpa.org/packages/ [2 times]
>>> ;; package list shows up, but it does not seem wise to install
>>> anything.
>>>
>>>
>>> --
>>> The Kafka Pandemic
>>>
>>> A blog about science, health, human rights, and misopathy:
>>> https://thekafkapandemic.blogspot.com
>>>
>>
>>
>> --
>> The Kafka Pandemic
>>
>> A blog about science, health, human rights, and misopathy:
>> https://thekafkapandemic.blogspot.com
>>
>
>
> --
> The Kafka Pandemic
>
> A blog about science, health, human rights, and misopathy:
> https://thekafkapandemic.blogspot.com
>
--
The Kafka Pandemic
A blog about science, health, human rights, and misopathy:
https://thekafkapandemic.blogspot.com
- is melpa just unsigned?,
Samuel Wales <=
- Re: is melpa just unsigned?, Michael Heerdegen, 2023/05/18
- Re: is melpa just unsigned?, Emanuel Berg, 2023/05/21
- Re: is melpa just unsigned?, Michael Heerdegen, 2023/05/21
- Re: is melpa just unsigned?, Samuel Wales, 2023/05/22
- Re: is melpa just unsigned?, Platon Pronko, 2023/05/22
- RE: [External] : Re: is melpa just unsigned?, Drew Adams, 2023/05/22
- Re: is melpa just unsigned?, Daniel Fleischer, 2023/05/23
- Re: is melpa just unsigned?, Samuel Wales, 2023/05/26
- Re: is melpa just unsigned?, Björn Bidar, 2023/05/29