From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits Date: Sun, 12 Feb 2023 06:37:01 +0000 Message-ID: References: <87pmapqoo5.fsf@daniel-mendler.de> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="5728"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 61277@debbugs.gnu.org, yantar92@posteo.net, monnier@iro.umontreal.ca To: rms@gnu.org, Daniel Mendler Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Feb 12 07:38:16 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pR607-0001Am-Mw for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 12 Feb 2023 07:38:15 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pR5zv-0004nl-UZ; Sun, 12 Feb 2023 01:38:03 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pR5zu-0004nd-MM for bug-gnu-emacs@gnu.org; Sun, 12 Feb 2023 01:38:02 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pR5zu-00036j-7P for bug-gnu-emacs@gnu.org; Sun, 12 Feb 2023 01:38:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pR5zu-0004YY-2j for bug-gnu-emacs@gnu.org; Sun, 12 Feb 2023 01:38:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 12 Feb 2023 06:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61277 X-GNU-PR-Package: emacs Original-Received: via spool by 61277-submit@debbugs.gnu.org id=B61277.167618383217452 (code B ref 61277); Sun, 12 Feb 2023 06:38:02 +0000 Original-Received: (at 61277) by debbugs.gnu.org; 12 Feb 2023 06:37:12 +0000 Original-Received: from localhost ([127.0.0.1]:43905 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pR5z5-0004XQ-OA for submit@debbugs.gnu.org; Sun, 12 Feb 2023 01:37:11 -0500 Original-Received: from mail-oa1-f53.google.com ([209.85.160.53]:37653) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pR5z1-0004XB-Vp for 61277@debbugs.gnu.org; Sun, 12 Feb 2023 01:37:09 -0500 Original-Received: by mail-oa1-f53.google.com with SMTP id 586e51a60fabf-16ab8581837so11710004fac.4 for <61277@debbugs.gnu.org>; Sat, 11 Feb 2023 22:37:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=W5kBkWt3m5CzqjBkUERdkeBOoD1OWsJUN6xQ9k3CypQ=; b=YapdC1XZn7jbDqMrH+u3qraj0i7Cs2bvCqvQHNEfF/zwCAZ1E+eSOpHrPgfnz1mtpi QJtt4UBTh4rEBibn+MS8EVVLvqAOh8QqGDlKVxxVnPuR1K5lSvxcuVrvEY9SsfF3xGJU YTcrzkaaFG2n1fHouACQPdEWreWb+cok0sXGQcnMmc2qgrhDNGiLo04eSILPQXpd5FMa dWjLYDw5spC9C/UwxL3+Zeh0aMLLiBLl+5JOIySKvaDzKqYSUeufvWhMMjkICDYyV+x0 qBRrzE9Sr6fnd3TUKdAarLFWuqcME/ETOVmszZYA9VcmWE3CNjyhIoDY1OOmbY1jt0Gu eDrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=W5kBkWt3m5CzqjBkUERdkeBOoD1OWsJUN6xQ9k3CypQ=; b=JypLRvPcjxkRuMWF2O9/ZXkpizOSV5DodM0yztfYKrZDwxcqJqPGBCk+HnA0Yf1Nwn EeSnRLwVU5aLOVFRW/EebdJjXjSEt/zTBWOMsTpxc56ulx6cj7Q4cy7b8xWOMsvyu+vT lGuW0DwV0AHVHzE9ZuTC7EQVMasnrFSugOt6HnEHV+z/b+s2VJgGzqns9bxnENa8HFWM ac+8tStYHI+E44R3MGJsPtk0oG7QKgZufWMihT6Jfvtig0mpeBjZ9BChyH18PmvbfWyl ArzSQQvfDmaVKH0EJqDdoXZBtSXlKClOwgjZkIvIBMvlEb7sL/V0bIuiF8DOoN0+J0Lj ffjg== X-Gm-Message-State: AO0yUKWCNwIGeUYpt8ZfOQalJwmwO4QlNlj7cyX54Y0ELtYStREsbYCa Gz72F0eoxryhFduDiAxzVbedE/8aXfDzlg1HwRw= X-Google-Smtp-Source: AK7set+/ASMw5nZlHOOYhHWerSYWu1OnFg0psoxBSiZurtUVhgliAera6R4jmnkON0d9AyDI7s2V2rAWRm1jsO+L+pM= X-Received: by 2002:a05:6870:15d0:b0:16a:684e:4c25 with SMTP id k16-20020a05687015d000b0016a684e4c25mr2071853oad.199.1676183822461; Sat, 11 Feb 2023 22:37:02 -0800 (PST) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Sun, 12 Feb 2023 06:37:01 +0000 In-Reply-To: X-Hashcash: 1:20:230212:mail@daniel-mendler.de::M7VqzmnTYD9a05eL:1chZ X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:255380 Archived-At: Richard Stallman writes: > > In the case of a breach, > > Breach of precisely what? To think about this issue > requires an answer to that question. The idea is that the likelihood of both an SSH and a PGP key getting stolen at the same time is lower than either one of them getting stolen separately. > > both the SSH and GPG keys may be stolen, which > > would allow an attacker to create commits on hosted repositories, such > > that the mechanism would not help. > > Is this a problem that has a solution? Yes, for example you could you could put your PGP key (usually a subkey) on a smartcard, and have no copy on the local filesystem. PGP keys usually also have an additional password, in addition to the one that developers normally (we hope) use for their SSH key.