From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Glenn Morris <rgm@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#32544: [ELPA] core packages need generated files
Date: Mon, 27 Aug 2018 19:31:07 -0400
Message-ID: <4dh8jfo090.fsf@fencepost.gnu.org>
References: <87mut797fd.fsf@gmx.de> <jwvh8jfu9an.fsf-monnier+emacsbugs@gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1535412607 4655 195.159.176.226 (27 Aug 2018 23:30:07 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Mon, 27 Aug 2018 23:30:07 +0000 (UTC)
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
Cc: 32544@debbugs.gnu.org, Michael Albinus <michael.albinus@gmx.de>
To: Stefan Monnier <monnier@IRO.UMontreal.CA>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Aug 28 01:30:03 2018
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1fuQxO-00015g-Kn
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 28 Aug 2018 01:30:02 +0200
Original-Received: from localhost ([::1]:35486 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1fuQzV-0006rJ-10
	for geb-bug-gnu-emacs@m.gmane.org; Mon, 27 Aug 2018 19:32:13 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46989)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fuQzM-0006qY-SD
	for bug-gnu-emacs@gnu.org; Mon, 27 Aug 2018 19:32:05 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fuQzK-0000rs-Vq
	for bug-gnu-emacs@gnu.org; Mon, 27 Aug 2018 19:32:04 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:57802)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1fuQzK-0000rE-EE
	for bug-gnu-emacs@gnu.org; Mon, 27 Aug 2018 19:32:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fuQzK-0006DQ-9w
	for bug-gnu-emacs@gnu.org; Mon, 27 Aug 2018 19:32:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Glenn Morris <rgm@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Mon, 27 Aug 2018 23:32:02 +0000
Resent-Message-ID: <handler.32544.B32544.153541268023829@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 32544
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 32544-submit@debbugs.gnu.org id=B32544.153541268023829
	(code B ref 32544); Mon, 27 Aug 2018 23:32:02 +0000
Original-Received: (at 32544) by debbugs.gnu.org; 27 Aug 2018 23:31:20 +0000
Original-Received: from localhost ([127.0.0.1]:34587 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fuQyd-0006CG-Rf
	for submit@debbugs.gnu.org; Mon, 27 Aug 2018 19:31:20 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:54034)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <rgm@gnu.org>) id 1fuQyc-0006C5-Ge
	for 32544@debbugs.gnu.org; Mon, 27 Aug 2018 19:31:18 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rgm@gnu.org>) id 1fuQyW-0008QU-Ps
	for 32544@debbugs.gnu.org; Mon, 27 Aug 2018 19:31:13 -0400
Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:56255)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <rgm@gnu.org>)
	id 1fuQyR-0008Mz-7m; Mon, 27 Aug 2018 19:31:07 -0400
Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.82)
	(envelope-from <rgm@gnu.org>)
	id 1fuQyR-0008Aa-2n; Mon, 27 Aug 2018 19:31:07 -0400
X-Spook: national information infrastructure bullion terrorist
X-Ran: Y@3TT?#.tR>rP[a<i]QB*y?\oMe`Kr-=r/I%XCQPFNXqZ4+k3semk[cb^zlOWs:6Yt^@[=
X-Hue: yellow
X-Attribution: GM
In-Reply-To: <jwvh8jfu9an.fsf-monnier+emacsbugs@gnu.org> (Stefan Monnier's
	message of "Mon, 27 Aug 2018 11:21:16 -0400")
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:149777
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/149777>

Stefan Monnier wrote:

> The main issue is to make it possible to build those files on
> elpa.gnu.org without too many security risks.
>
> I planned to do that by running "make" inside an LXC container, but my
> attempts to make a lightweight LXC container on elpa.gnu.org failed
> se far.

Is the concern privilege escalation in build recipes in malicious elpa
packages?

But couldn't the same package run the same bad code at package install
time on the end user's machine, today and for as long as elpa.gnu.org
has existed?

Ie, if we assume malicious code can get into elpa packages with no-one
noticing, the whole system is already broken anyway?

So would it be good enough in practice to avoid accidental damage by
running make as a dedicated elpa-build user with no special privs?

But if you want to make the elpa system more secure one piece at a time,
that's obviously no bad thing.