On Fri, 30 Nov 2001, Steve Youngs wrote:
I've got this working, but I'm wondering if we really need it
It would be nice to have, but it's probably not *necessary*.
I mean, as far as I can tell, this part of the XEmacs Package System
has never worked, and it was introduced in 1998. Obviously it was
never seen as important enough to do anything about.
I was under the impression that it was being fixed by the maintainer of
the package system, actually, though I can't think /why/ I "knew" this
to be the case. ;)
Do the package-index files need to be PGP signed? Does anyone know
what the reasoning was behind the idea in the first place?
Confidence in distribution. Since Emacs Lisp can run is the context of a
user, including root, it's a security risk to just drag any old Lisp of
the 'net and run it.
PGP signing the package index means that the MD5 in there is very hard
to spoof for an attacker, which means, in turn, that the package system
will legitimately bitch when a modified package is downloaded.
So, what would you like me to do; fix the PGP code and tell everyone
to stop whining and upgrade, or get rid of the PGP code in the
package tools altogether?
A stupid man's report of what a clever man says can never be accurate, because
he unconsciously translates what he hears into something he can understand.
-- Bertrand Russell