help-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: is melpa just unsigned?


From: Björn Bidar
Subject: Re: is melpa just unsigned?
Date: Mon, 29 May 2023 16:12:05 +0300
User-agent: Gnus/5.13 (Gnus v5.13)

Daniel Fleischer <danflscr@gmail.com> writes:

> Samuel Wales [2023-05-22 Mon 19:53] wrote:
>
>> of course i am aware signing is only part of ensuring security,
>> and melpa does curating, and authors or computers could turn evil, but
>> where there is a chain that reliably goes back to an author from the
>> code you dled, it's a pretty good feeling.
>
> Not a security expert but signing helps with downloading files from
> questionable hosting (usually you download the signature from the same
> website, thus you solve nothing). You can skip the middleman melpa.org
> and install packages directly from their respective forges, e.g. github,
> gitlab, sourcehut using either something like quelpa or built-in
> package-vc-install.

Another alternative is borg + magit + epkg.

The workflow makes it quite easy to contribute and test changes in
packages.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]