From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Daniel Mendler Newsgroups: gmane.emacs.bugs Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits Date: Sat, 04 Feb 2023 19:19:06 +0100 Message-ID: <87pmapqoo5.fsf@daniel-mendler.de> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="8981"; mail-complaints-to="usenet@ciao.gmane.io" Cc: yantar92@posteo.net, stefan@marxist.se, monnier@iro.umontreal.ca To: 61277@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Feb 04 19:20:19 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pON99-00028c-Bg for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 04 Feb 2023 19:20:19 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pON8u-0007Uc-Np; Sat, 04 Feb 2023 13:20:04 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pON8s-0007Si-W2 for bug-gnu-emacs@gnu.org; Sat, 04 Feb 2023 13:20:03 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pON8s-00037I-NU for bug-gnu-emacs@gnu.org; Sat, 04 Feb 2023 13:20:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pON8s-00027C-4q for bug-gnu-emacs@gnu.org; Sat, 04 Feb 2023 13:20:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Daniel Mendler Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 04 Feb 2023 18:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 61277 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.16755347758093 (code B ref -1); Sat, 04 Feb 2023 18:20:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 4 Feb 2023 18:19:35 +0000 Original-Received: from localhost ([127.0.0.1]:43437 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pON8Q-00026T-Up for submit@debbugs.gnu.org; Sat, 04 Feb 2023 13:19:35 -0500 Original-Received: from lists.gnu.org ([209.51.188.17]:34562) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pON8O-00026K-0M for submit@debbugs.gnu.org; Sat, 04 Feb 2023 13:19:33 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pON8I-0006Vr-Kj for bug-gnu-emacs@gnu.org; Sat, 04 Feb 2023 13:19:31 -0500 Original-Received: from server.qxqx.de ([2a01:4f8:121:346::180] helo=mail.qxqx.de) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pON8D-0002yl-3p for bug-gnu-emacs@gnu.org; Sat, 04 Feb 2023 13:19:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=qxqx.de; s=mail1392553390; h=Content-Type:MIME-Version:Message-ID:Date:Subject:Cc:To: From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:Content-Description :Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NN9xymQrG2RctoZzJjymv6dTBd2NgsuXh3Oaqa0dtzk=; b=NtJud6QwM/5K/7xCFiXpJ+l6I+ VMc1AZAidVHnpeSg+0ZPRdzWNh7rW8Lccj1PfwK032FClGEumHQtCfPQHlIs6EJIvRSBjuVV0wzwF tk0v/49NU2J92bEIXcK3uq1h3t4RgB6s7R6uoJlSW6sEm9sHxIhh2ie9Rny/8fIisn48=; Received-SPF: pass client-ip=2a01:4f8:121:346::180; envelope-from=mail@daniel-mendler.de; helo=mail.qxqx.de X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FORGED_SPF_HELO=1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:254790 Archived-At: As discussed on emacs-devel it would be good if ELPA security could be improved, preventing potential breaches on the side of the source repository. This feature becomes more relevant the more packages are :auto-sync'ed from their source repository. My git commits are usually signed, so one could check the signature of each commit which leads to a package build. This feature could be opt-in for now, enabled via an attribute :signature in the elpa-packages configuration. Maybe elpa-packages could store the fingerprint(s) of the expected GPG key(s)? In the case of a breach, both the SSH and GPG keys may be stolen, which would allow an attacker to create commits on hosted repositories, such that the mechanism would not help. However the source repository may also get compromised via other vectors. https://lists.gnu.org/archive/html/emacs-devel/2023-02/msg00120.html