Tim,
> At the end of the day, this is essentially a supply chain problem. To
> really have confidence, you need confidence in the whole supply chain,
> not just the distribution centre.
that makes sense. thanks.
Greg
* Tim Cross [2020-11-27 01:21]:
>
> Greg Minshall writes:
>
> > Tim,
> >
> >> It could, but to get that level of assurance, you not only have to
> >> verify the signature is valid (something which is automated if
> >> enabled), you also need to verify that both packages have the exact
> >> same
Greg Minshall writes:
> Tim,
>
>> It could, but to get that level of assurance, you not only have to
>> verify the signature is valid (something which is automated if
>> enabled), you also need to verify that both packages have the exact
>> same signature, which is pretty much a manual process.
Tim,
> It could, but to get that level of assurance, you not only have to
> verify the signature is valid (something which is automated if
> enabled), you also need to verify that both packages have the exact
> same signature, which is pretty much a manual process. So in addition
> to telling you
* Greg Minshall [2020-11-26 08:29]:
> Tim,
>
> > I think you missed my point. There is no benefit in MELPA adopting
> > signed packages because there is no formal code review and no vetting
> > of the individuals who submit the code.
>
> it occurs to me there might be one benefit: if George, who
Jean Louis writes:
> * Tim Cross [2020-11-26 02:40]:
>> > OK it is great that it is so. Are you maybe author doing it? Is there
>> > any reference that authors are doing so? I have MELPA downloaded you
>> > could tell me how do I see that author is deciding if package is for
>> > release?
>> >
Greg Minshall writes:
> Tim,
>
>> I think you missed my point. There is no benefit in MELPA adopting
>> signed packages because there is no formal code review and no vetting
>> of the individuals who submit the code.
>
> it occurs to me there might be one benefit: if George, whom you trust,
> s
Tim,
> I think you missed my point. There is no benefit in MELPA adopting
> signed packages because there is no formal code review and no vetting
> of the individuals who submit the code.
it occurs to me there might be one benefit: if George, whom you trust,
says, "I've been running version 1.2.3
* Tim Cross [2020-11-26 02:40]:
> > OK it is great that it is so. Are you maybe author doing it? Is there
> > any reference that authors are doing so? I have MELPA downloaded you
> > could tell me how do I see that author is deciding if package is for
> > release?
> >
>
> You can clone the melpa
Jean Louis writes:
>>
>> this is wrong. In melpa you specify either a commit (SHA) or a branch or
>> both. The repository owner has control over this. MELPA doesn't just
>> pull data from the repository because there has bene an update. You can
>> configure things so that whenever data is commi
* Tim Cross [2020-11-26 01:47]:
> I think you missed my point. There is no benefit in MELPA adopting
> signed packages because there is no formal code review and no vetting of
> the individuals who submit the code.
Do you think it is really their reason? Or maybe you are developer in
MELPA?
Ther
Jean Louis writes:
> * Tim Cross [2020-11-25 10:01]:
>>
>> Jean Louis writes:
>>
>> > * Tim Cross [2020-11-24 23:40]:
>> >> If people are really concerned about security, they should look first at
>> >> their use of repositories like MELPA. There is no formal review or
>> >> analysis of pack
On Wed, Nov 25, 2020 at 12:26:11PM +0300, Jean Louis wrote:
> * to...@tuxteam.de [2020-11-25 12:08]:
> > On Wed, Nov 25, 2020 at 11:23:27AM +0300, Jean Louis wrote:
> >
> > [...]
> >
> > > [...] and not from Chinese distributor [...]
> >
> > I think this was an unnecessary slur.
>
> Why, there
* to...@tuxteam.de [2020-11-25 12:08]:
> On Wed, Nov 25, 2020 at 11:23:27AM +0300, Jean Louis wrote:
>
> [...]
>
> > [...] and not from Chinese distributor [...]
>
> I think this was an unnecessary slur.
Why, there is legitimate mirror in China.
I did not mean nothing wrong with it. I hope no
On Wed, Nov 25, 2020 at 11:23:27AM +0300, Jean Louis wrote:
[...]
> [...] and not from Chinese distributor [...]
I think this was an unnecessary slur.
Cheers
- t
signature.asc
Description: Digital signature
* Tim Cross [2020-11-25 10:01]:
>
> Jean Louis writes:
>
> > * Tim Cross [2020-11-24 23:40]:
> >> If people are really concerned about security, they should look first at
> >> their use of repositories like MELPA. There is no formal review or
> >> analysis of packages in these repositories, ye
16 matches
Mail list logo
