[asdf-install-devel] Re: [cclan-list] ASDF-Install patch to allow installation of unsigned packages

Todd tsabin at optonline.net
Thu May 24 19:54:22 UTC 2007


"Tim Daly, Jr." <tim at tenkan.org> writes:

> Hi Gary,
>
> I'd just like to add my small voice to the chorus:
>
> On May 24, 2007, at 10:40 AM, Gary King wrote:
>>
>> I see your point regarding requiring a license file but I'm not sure
>> that I agree because ASDF-Install already has several "loopholes":
>>
>> * you can set *verify-gpg-signatures* to nil or to a list of trusted
>> locations
>> * you can choose a restart around an invalid or untrusted signature
>
> It seems to me that these are choices made by the person installing a
> package, whereas making a package without a signature is a choice
> made by the person providing the package.  I'm okay with opting out
> of the signature verification on my end if it's expedient, but I'm
> not really down with a potential proliferation of unsigned packages.
> In my world, an unsigned package should not be called ASDF-INSTALLable.

Yes, this, particularly the last statement, is the crux of what I was
trying to say.  It seems that other people have gotten the (I think)
mistaken impression that the patch makes it so that any unsigned
package will be installed, whether the user wanted to verify
signatures, or not.  That would be truly awful, but isn't the case, I
think (though I haven't looked in detail).  What I'm talking about is
trivial in comparison, but still worth thinking about, IMHO.

The intent of the patch is to not require a signature to be present,
_if_ you've told asdf-install that you don't care about validating
signatures.  That is in some ways consistent, but it has an effect on
the ecosystem that develops around asdf-install.

If asdf-install doesn't requires all packages to have signatures, you
can end up with a fragmented state where you have some packages that
can only be installed by users who don't care about signatures.  On
the other hand, if it requires signatures to be present regardless of
user preference, that won't happen.

The question is about what minimum standards asdf-install should
require of publishers, and how to go about enforcing it.

I guess I just thought it was kind of sad that the first time someone
forgot to publish a signature for a package, the code was changed to
allow it, instead of just shooting the person an email.

-- 
Todd Sabin                                          <tsabin at optonline.net>



More information about the asdf-install-devel mailing list