Re: is melpa just unsigned?

[Samuel Wales]

just brainstorming but if by chance melpa is not signed, i wonder if
there are package managers that kind of kludge security a bit.  not
perfection, but try to dtrt.  enhancing melpa or bypassing it.

for example, idk the current status of git's sha-1 [?] crypto
brokenness, but packages that use git could perhaps have their shas
compared via multiple routes, or so.  maybe only google-level actors
could currently break sha-1 for all i know.

at least you could check that the sha you have is the same lots of
other users have?

are guix or nix debian-like in their signing infrastructure?  i am
just thinking out loud here for possible solutions for more security.
comparing multiple routes, using git's history, or a  clever trick i
am not thinking of now.  does el-get do?

of course i am aware signing is only part of ensuring security,
and melpa does curating, and authors or computers could turn evil, but
where there is a chain that reliably goes back to an author from the
code you dled, it's a pretty good feeling.


On 5/21/23, Michael Heerdegen <michael_heerdegen@web.de> wrote:
> Emanuel Berg <incal@dataswamp.org> writes:
>
>> > If you get no answers here... since Melpa is not part of
>> > Emacs, maybe you have more luck if you ask the Melpa people?
>>
>> You mean they don't read here? :(
>
> I don't know.  Some days ago I opened an Github issue with an request
> for an answer and improvement of the documentation of Melpa so that
> users can read about this.  So far nobody responded.  Maybe they are all
> on vacation or nobody wants to say something wrong, I don't know.
>
> Michael.
>
>
>


-- 
The Kafka Pandemic

A blog about science, health, human rights, and misopathy:
https://thekafkapandemic.blogspot.com