[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Urgent matter with GNU ELPA keys
|
From: |
Phillip Lord |
|
Subject: |
Re: Urgent matter with GNU ELPA keys |
|
Date: |
Mon, 11 Feb 2019 22:19:29 +0000 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1.91 (gnu/linux) |
Stefan Monnier <address@hidden> writes:
> I just saw that the GNU ELPA signing key that we distribute with Emacs
> (stored in etc/package-keyring.gpg) will expire in September.
>
> It's easy to change elpa.gnu.org to sign with a new key, but the hard
> part that we need to take care of ASAP is to figure out how we're going
> to let users of already-distributed Emacsen access GNU ELPA when that
> new key is used.
>
> My GPG-fu is rather weak, so I need help,
Write a package called "package-keys.el" which includes the new
key. Sign it with the existing key distributed with Emacs.
Of course, this will have what you might call a reverse bootstrap
problem -- users will need to install package-keys.el before they key
runs out, but they won't know that they need to do this till the key
runs out. After this, Emacs will refuse to install the package that it
needs to allow the installation. Only solution I can see here would be
to put some code that people can eval in *scratch* that bypasses the key
signing thing.
Long term solution would be an auto-updating and installing version of
package-keys.el and maybe package.el. This would have practical problems
(because ELPA doesn't support multiple versions of packages). I expect
Richard would object also.
Phil