[asdf-install-devel] Re: [cclan-list] ASDF-Install patch to allow installation of unsigned packages

[Todd]

Gary King <gwking at metabang.com> writes:

> The following patch splits download-files-for-package into download- 
> source-for-package and download-signature-for-package; alters install  
> and verify-gpg-signature so that the latter now calls download- 
> signature-for-package. Added a restart-case in download-signature-for- 
> package so that we can still install unsigned packages.'
>
> I'd like to push this out sometime this week unless someone sees a  
> problem...

I don't claim to be an expert on asdf-install, but this (allowing to
install unsigned packages) seems directly counter to the spirit of it.
Quoting from its cliki page:

   Because cCLan download links can be edited by anyone, we require
   that all packages are accompanied by detached PGP signatures.

It doesn't try to force everyone to build up a web of trust, etc, so
it allows you to install if something goes wrong verifying the
signature, but that's different from allowing people to publish
packages without signing them at all.  If you permit the latter, then
you make things much harder for those who _do_ want to verify
signatures.

I looked at the mailing list archive, and it looks like this idea
started because someone tried to install the MD5 package, but the
signature was missing, and the install failed.  That was as it should
have been (in my view), and the proper way to address that is to email
the author/publisher and ask them to sign it.  I've done that, and the
signature is now there.

I suggest reverting the prior changes, and again requiring signatures
to be present for packages to be "properly published", as seems to be
the original intent.

-- 
Todd Sabin                                          <tsabin at optonline.net>