[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: is melpa just unsigned?
From: |
Björn Bidar |
Subject: |
Re: is melpa just unsigned? |
Date: |
Mon, 29 May 2023 16:12:05 +0300 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Daniel Fleischer <danflscr@gmail.com> writes:
> Samuel Wales [2023-05-22 Mon 19:53] wrote:
>
>> of course i am aware signing is only part of ensuring security,
>> and melpa does curating, and authors or computers could turn evil, but
>> where there is a chain that reliably goes back to an author from the
>> code you dled, it's a pretty good feeling.
>
> Not a security expert but signing helps with downloading files from
> questionable hosting (usually you download the signature from the same
> website, thus you solve nothing). You can skip the middleman melpa.org
> and install packages directly from their respective forges, e.g. github,
> gitlab, sourcehut using either something like quelpa or built-in
> package-vc-install.
Another alternative is borg + magit + epkg.
The workflow makes it quite easy to contribute and test changes in
packages.
- is melpa just unsigned?, Samuel Wales, 2023/05/18
- Re: is melpa just unsigned?, Michael Heerdegen, 2023/05/18
- Re: is melpa just unsigned?, Emanuel Berg, 2023/05/21
- Re: is melpa just unsigned?, Michael Heerdegen, 2023/05/21
- Re: is melpa just unsigned?, Samuel Wales, 2023/05/22
- Re: is melpa just unsigned?, Platon Pronko, 2023/05/22
- RE: [External] : Re: is melpa just unsigned?, Drew Adams, 2023/05/22
- Re: is melpa just unsigned?, Daniel Fleischer, 2023/05/23
- Re: is melpa just unsigned?, Samuel Wales, 2023/05/26
- Re: is melpa just unsigned?,
Björn Bidar <=