From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#19479: Package manager vulnerable Date: Mon, 7 Sep 2020 11:11:08 -0700 Message-ID: References: <87k11pnap2.fsf@gmail.com> <86r1rd65cz.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="10966"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 19479@debbugs.gnu.org To: Noam Postavsky Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Sep 07 20:15:15 2020 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kFLff-0002jP-00 for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 07 Sep 2020 20:15:15 +0200 Original-Received: from localhost ([::1]:48016 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kFLfd-0008EN-U4 for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 07 Sep 2020 14:15:13 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:40116) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kFLcY-0005Eg-DL for bug-gnu-emacs@gnu.org; Mon, 07 Sep 2020 14:12:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:39245) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kFLcY-0003UB-1t for bug-gnu-emacs@gnu.org; Mon, 07 Sep 2020 14:12:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kFLcX-0001X3-TI for bug-gnu-emacs@gnu.org; Mon, 07 Sep 2020 14:12:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 07 Sep 2020 18:12:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19479 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.15995022765836 (code B ref 19479); Mon, 07 Sep 2020 18:12:01 +0000 Original-Received: (at 19479) by debbugs.gnu.org; 7 Sep 2020 18:11:16 +0000 Original-Received: from localhost ([127.0.0.1]:50791 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kFLbo-0001W3-AA for submit@debbugs.gnu.org; Mon, 07 Sep 2020 14:11:16 -0400 Original-Received: from mail-ed1-f53.google.com ([209.85.208.53]:33491) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kFLbn-0001Vr-5Y for 19479@debbugs.gnu.org; Mon, 07 Sep 2020 14:11:15 -0400 Original-Received: by mail-ed1-f53.google.com with SMTP id g4so13591750edk.0 for <19479@debbugs.gnu.org>; Mon, 07 Sep 2020 11:11:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=e1kJfqwX/7LLo+cKlP15PAK3QobDD0nWQ52r8cV70mE=; b=Xym4+5ZhnIBMzzK6qEh/Uwp6RKU7+jaMZg+3soPXuzPAtPiLCytGMWJZPTiv6d7o8g 8wVztjIpy2Kj2fWd/i7wB50gU+vT6O+Ae40hT8x+Dr3Hmr6jMnKbsLvzbGdO1Ib/a+VA 1A/JxeQdn1pG7oRsvLA/Z1VlQnCkoMYMrr2LmVRAS5L0uwhwmIzOd277vfL6lnEcxGOA MQ77CfugGgJpYQCpQiwjA3ohqrrD9EDMwktV2AqoKddOVfqCuFFGVkgC3UpzOwK+WI3M 8OZGzHjydLynauK0H9ok8sJMj9R44u498nOg3OtKvEj8iN2oCmbutJanNr5QROqZ4Npv 5cvw== X-Gm-Message-State: AOAM533nZQDHcppdDDEfL+VaIUYPCYxAAmydTn/JP65jJlcEv0SJTR8N BfTMRuUORVj3BSk3y4+1POMzRKBnJcfMzWpA8Lg= X-Google-Smtp-Source: ABdhPJxXS7LbAFE5ZJ1bU3pMG5HVQH40dSEXNXeQteV3OZzpfhiwsgh5JqWguzzkVif69ZjVBBrT9e0v0/7GDd2MnOM= X-Received: by 2002:a50:ce06:: with SMTP id y6mr22238889edi.273.1599502269416; Mon, 07 Sep 2020 11:11:09 -0700 (PDT) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 7 Sep 2020 11:11:08 -0700 In-Reply-To: <86r1rd65cz.fsf@gmail.com> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:187467 Archived-At: Noam Postavsky writes: > Stefan Kangas writes: > >>> Is this a function (rather than a variable) just so it can be in the >>> same cl-flet* as do-check? >> >> I'm not sure I understand; it should be a function instead of a variable >> because there is logic in there to match `(secure-hash-algorithms)' >> against `(package-desc-checksums pkg-desc)' and signal an error. > > Ah, I think had forgotten about/was confused by cl-flet's (FUNC (lambda > ARGLIST ...)) syntax when I wrote that. Although I suppose you could > make it a plain variable by moving it inside do-check's lambda (not sure > if that's an improvement)? Sure, you could do that. I guess it's mostly down to style, but I personally feel like that change would make the code a little bit harder to read here.