OK, you've expressed this point many times now but no one has actually
done anything to make updating package-get-base any easier. If it's
difficult for us, how will it seem for users? Personally I'm not that
worried about someone intercepting my ftp to xemacs.org
, I'd just like
to have it not be a pain in the ass every time I want to upgrade my
packages. Currently we're very close with Darryl's excellent
pui-list-packages, we just need a way to get package-get-base.
Email/news works here on xemacs-beta (if the entire thing gets sent
and I can just hit C-x C-e, or there are commands to easily snarf new
entries) but we can't require our users to read comp.emacs.xemacs.
It needs to be automatic.
>>>> "Pete" == Pete Ware
Pete> greg(a)alphatech.com (Greg Klanderman) writes:
> All this package-get-base.el stuff is such a pain. Now
> incremental updates to deal with... blech. I wish we could just
> reliably and automagically snarf the current one off ftp.xemacs.org
> Suggestions anyone?
Pete> When I originally wrote the code, one thing I was concerned about was
Pete> XEmacs being easily exploited for trojan horse attacks. In
Pete> particular, a talented hacker could intercept ftp requests to
and substitude their own versions of packages -- hence
Pete> the md5 checksum for each package. But then the problem becomes
Pete> grabing package-get-base.el -- if that gets intercepted then there is
Pete> a problem. Bogus md5sum's can be substituted, host names
Pete> changed, package locations, etc.
Pete> I pictured two distribution methods for package-get-base.el. It
Pete> either gets sent with the entire distribution (which are signed). If
Pete> that is corrupted, well you have bigger problems anyway. The second
Pete> was a periodic posting to a newsgroup/mailing list. Presumably, such
Pete> an article would be PGP signed and could be verified as being from the
Pete> Automatic access to package-get-base.el is dangerous.